Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sessions): add modal for choosing session environment (#405) #405

Merged
merged 1 commit into from
Aug 8, 2024
Merged

feat(sessions): add modal for choosing session environment (#405) #405

merged 1 commit into from
Aug 8, 2024
+316 −39

Conversation

mdonadoni
Copy link
Member

mdonadoni added a commit to mdonadoni/reana-ui that referenced this pull request May 8, 2024
@mdonadoni
feat(sessions): add modal for choosing session environment (reanahub#405
86fac46 
)

Closes reanahub/reana-workflow-controller#569
tiborsimko
tiborsimko reviewed May 8, 2024
View reviewed changes
reana-ui/src/components/InteractiveSessionModal.js
label="Custom environment"
value={customImage}
onChange={(_, { value }) => setCustomImage(value)}
placeholder={"Custom container image"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When custom environment images are enabled, the user may try to type fancy values such as:

alert("XSS")

This leads to a success message:

Success!

The interactive session has been created. However, it could take several minutes to start the Jupyter Notebook. Click on the Jupyter logo to access it.

And on the backend, the session pod is created but obviously not started due to the InvalidImageName error.

Could we plug some value sanitisation checks so that we would prevent even trying to open invalid image strings?

(Ideally on the backend side, so that we would also cover reana-client open, but we could also eliminate some characters already in the front-end perhaps, such as in the various XSS test strings, as tried above.)

Copy link
Member Author

@mdonadoni mdonadoni May 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should do this as part of another issue/PR, as these checks could be also done for example for the docker images specified in reana.yaml. What do you think?

mdonadoni added a commit to mdonadoni/reana-ui that referenced this pull request May 27, 2024
@mdonadoni
feat(sessions): add modal for choosing session environment (reanahub#405
6108869 
)

Closes reanahub/reana-workflow-controller#569
mdonadoni added a commit to mdonadoni/reana-ui that referenced this pull request Aug 8, 2024
@mdonadoni
feat(sessions): add modal for choosing session environment (reanahub#405
d79551b 
)

Closes reanahub/reana-workflow-controller#569
@tiborsimko tiborsimko merged commit 7a83b20 into reanahub:master Aug 8, 2024
10 checks passed
@github-actions github-actions bot mentioned this pull request Aug 8, 2024
Open
@mdonadoni mdonadoni deleted the jupyter-allowlist branch August 8, 2024 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiborsimko tiborsimko tiborsimko left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

interactive-sessions: implement configurable allowlist
2 participants
@mdonadoni @tiborsimko