Fixes #25169 - fix xss on pages with breadcrumbs #6132
Conversation
|
Issues: #25169 |
|
one integration test seemed to fail on all rubies, rerunning tests to be sure, but is probably related |
There was a problem hiding this comment.
Thanks @amirfefer, left some comments about the React/Redux part
| @@ -0,0 +1,6 @@ | |||
| import store from './react_app/redux'; | |||
|
|
|||
| import * as BreadcrumbsAction from './react_app/components/BreadcrumbBar/BreadcrumbBarActions'; | |||
There was a problem hiding this comment.
nitpick, import { updateBreadcrumbTitle } from '...';
| title | ||
| items={breadcrumbItems} | ||
| isTitle={isTitle} | ||
| titleAddition={this.props.titleAddition} |
There was a problem hiding this comment.
-
Can you put it with all the other props in the
const { ... } = this.props? -
Can you add
propTypeanddefaultProp?
| @@ -25,6 +26,13 @@ export const removeSearchQuery = resource => (dispatch) => { | |||
| loadSwitcherResourcesByResource(resource)(dispatch); | |||
| }; | |||
|
|
|||
| export const updateBreadcrumbTitle = title => (dispatch) => { | |||
There was a problem hiding this comment.
You don't need the dispatch in this case, this should be enough:
export const updateBreadcrumbTitle = title => ({
type: BREADCRUMB_BAR_UPDATE_TITLE,
payload: title,
});| @@ -27,6 +28,9 @@ export default (state = initialState, action) => { | |||
| case BREADCRUMB_BAR_CLEAR_SEARCH: | |||
| return state.set('searchQuery', ''); | |||
|
|
|||
| case BREADCRUMB_BAR_UPDATE_TITLE: | |||
| return state.set('titleAddition', payload); | |||
There was a problem hiding this comment.
Don't we want some titleAddition value to be in the initialState?
There was a problem hiding this comment.
isn't it enough have a default value defined in the Proptype?
There was a problem hiding this comment.
In this case it will achieve the same results, but I wouldn't say it is enough, they are playing different roles.
Different defaultProps when not passing a value vs the actual initial state of the application.
| /> | ||
| title="root" | ||
| > | ||
| root false |
There was a problem hiding this comment.
The false is here accidentally?
| @@ -0,0 +1,3 @@ | |||
| #hostFQDN { | |||
| vertical-align: 0px | |||
There was a problem hiding this comment.
Unexpected unit length-zero-no-unit
Expected a trailing semicolon declaration-block-trailing-semicolon
|
@ares integration test has been fixed :) |
|
Ok, I can confirm test failure is now unrelated. Normally we try to keep security fixes minimal, because of backporting. But if there's no better way of handling the title in interfaces form, I guess that's fine. I'll be testing this shortly and waiting for @sharvit for code ack. |
| {' '} | ||
| {text || caption} | ||
| {' '} | ||
| { active && <span id='hostFQDN' > {titleAddition} </span>} |
There was a problem hiding this comment.
'hostFQDN' id seems too resource specific for this generic component.
I didn't do any testing, but besides that the design looks fine to me.
There was a problem hiding this comment.
you're right, I chose it because the integration test catches this id. I'll change the id to something more generic here and in the test.
|
ping @amirfefer @tstrachota @sharvit - what is the status here? |
There was a problem hiding this comment.
I did some testing and found one regression on the host edit page. I'm sorry for that @amirfefer
| {' '} | ||
| {text || caption} | ||
| {' '} | ||
| { active && <span id='title-addition' > {titleAddition} </span>} |
There was a problem hiding this comment.
I found out this is causing issues when I change fqdn of a primary interface on an existing host:
How about removing the addition and replacing the whole caption on BREADCRUMB_BAR_UPDATE_TITLE ?
There was a problem hiding this comment.
so we have two options I can think of:
- replace the entire title when fqdn is changed
- add this title's addition only on new host page (keeping today's behavior )
There was a problem hiding this comment.
I prefer 1. It means copying some strings into js code but in general I find it more re-usable.
There was a problem hiding this comment.
I think it makes sense to do two things - 1. change the entire title instead of adding to it (so if needed we can do that elsewhere easily, where it might not make sense to only add text) 2. only do this on new hosts since it's confusing if you are editing an existing one - you expect the old name to be there rather than the new
There was a problem hiding this comment.
@tbrisker I agree. Changing it on the edit page would be confusing.
|
thanks @tbrisker ! I've removed the |
| @@ -62,7 +62,7 @@ def layout_data | |||
|
|
|||
| def title(page_title, page_header = nil) | |||
| content_for(:title, page_title.to_s) | |||
| @page_header ||= page_header || @content_for_title || page_title.to_s | |||
There was a problem hiding this comment.
@content_for_title doesn't exist
| @@ -599,7 +599,6 @@ class HostJSTest < IntegrationTestWithJavascript | |||
| modal.find(:button, "Ok").click | |||
|
|
|||
| assert table.find('td.fqdn').has_content?('name.' + domain.name) | |||
| assert page.find('#hostFQDN').has_content?('| name.' + domain.name) | |||
| @@ -44,7 +44,9 @@ def icon(record, opts = {}) | |||
| return "" if record.family.blank? | |||
| record.family | |||
| end | |||
|
|
|||
| if opts[:path] | |||
| return image_path(family + ".png") | |||
There was a problem hiding this comment.
nitpick:
return image_path(family + ".png") if opts[:path]is a more common idiom in ruby
|
thanks @tbrisker :) |
|
test failure unrelated 💚 |
|
@tbrisker could you have another look please? |
app/views/hosts/new.html.erb
Outdated
| <% new_host_title %> | ||
|
|
||
| <% title _("Create Host") %> | ||
| <%= breadcrumbs(read_only_title: false) %> |
|
thanks for noticing :) |
breadcrumbs replaced the title on pages by using
@page_headervariable.in two places,
@page_headercontains html such as image for the operating system in details host page, andspanwith id (#hostFQDN) in order to manipulate the title with jquery.In this PR, I removed
dangerouslySetInnerHTMLfrom the breadcrumb component, which caused this issue, while keeping the same behavior that I mentioned above.I haven't found any other extracted html in
@page_headerexcept these two in foreman core and plugins.