New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vega] Clicking on an internal url (href redirection) doesn't work #6285
Comments
Have you tried it with enableExternalUrls: 'vis_type_vega.enableExternalUrls: true'? |
I'm thinking that this is a security feature. If one were to "fix" it so that internal URLs work when enableExternalUrls is set to false, you would potentially have a situation where the "isInternalUrl" function becomes a target for inserting malicious external URLs. For example, if someone could find an open redirect that allows an internal URL to redirect to a malicious external URL. |
@wbeckler I dont see this as a security issue at all - its just a minor bug fix |
I'm sorry I didn't explain myself well. What I meant was, the existence of this function, while buggy, seems initially intended as a security feature. As in, some admins would want to disable the possibility of malicious URLs in visualizations, and therefore they would limit the visualization to internal URLs. Now, fixing the bug would enable this internal linking to work for users who intended to limit links to internal ones. But what I am wondering, is whether fixing this bug could enable malicious usage due to a failure in the original logic. The malicious use case comes from the fact that the isinternal concept is not sufficient to prevent malicious URLs, since there is the possibility of an open redirect vulnerability. So I was wondering if the solution to fixing internal URLs would create another problem, and therefore the right next move might be to ask how to make a safe internal URL concept work here that is immune to open redirect vulnerabilities. |
@wbeckler I see where your concern is coming from but I think we should also be more specific about about the potential vulnerability. Users can already add links in their markdown visualization's. These can be external or internal. If a user can already do this for a markdown vis, why are we restricting it for a Vega Vis? |
As for the potential fix, do you think that is sometign you can contribute @YANG-DB? Right now it is not high up on the priority list for the team but I could help you get the fix merged in (sans any pushback from the maintainers or community :) ) |
Describe the bug
If I use a vega spec that allows the user to click (navigate) to another internal url (e.g. a dashboard), the redirect doesn't work.
To Reproduce
Using the following vega spec:
Inside a visualization should allow navigation the following dashboard url:
http://localhost:5601/goto/25bfc6d157f12043bfc23de965e8bf32
Expected behavior
Clicking any node in the network graph should navigate to the
href
urlOpenSearch Version
Not relevant
Dashboards Version
Any version (1.* / 2.* )
Plugins
Core
Please list all plugins currently enabled.
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
Additional context
Fix should be around here
this._externalUrl.isInternalUrl(uri))
The text was updated successfully, but these errors were encountered: