Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate external URLs are http(s) before opening externally #150

Merged
merged 1 commit into from
Feb 6, 2024
Merged

Validate external URLs are http(s) before opening externally #150

merged 1 commit into from
Feb 6, 2024

Conversation

sergeichestakov
Copy link
Contributor

Why

See H1 Report. We should validate that any externally opened URLs are http/https since otherwise a malicious or malformed URL could open another app on the users machine with that protocol registered which may cause unwanted code to be executed.

Fixes WS-2623

What changed

Validate external URLs are http(s) before opening externally

Test plan

  • Try to open a non http url from the devtools in the app
  • Fails to open
  • Open an https URL from the devtools or click a link to e.g. our docs in the app
  • Still opens

@sergeichestakov sergeichestakov self-assigned this Feb 6, 2024
@linear Linear
Copy link

linear bot commented Feb 6, 2024

WS-2623 Validate URLs before opening

See Hacker One report and relevant guide.

We should not open links that are not https and should add some extra validation here on the protocol handler side.

@sergeichestakov sergeichestakov requested review from a team, Monkatraz and szymonkaliski and removed request for a team February 6, 2024 15:20
@sergeichestakov sergeichestakov changed the title Validatge external URLs are http(s) before opening externally Validate external URLs are http(s) before opening externally Feb 6, 2024
szymonkaliski
szymonkaliski approved these changes Feb 6, 2024
View reviewed changes
Copy link
Member

@szymonkaliski szymonkaliski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒

@sergeichestakov sergeichestakov merged commit 30cf922 into main Feb 6, 2024
6 checks passed
@sergeichestakov sergeichestakov deleted the @sergeichestakov/validate-protocol-handlers branch February 6, 2024 15:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@szymonkaliski szymonkaliski szymonkaliski approved these changes

@Monkatraz Monkatraz Awaiting requested review from Monkatraz Monkatraz was automatically assigned from replit/workspace

Assignees

@sergeichestakov sergeichestakov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergeichestakov @szymonkaliski