Handle relative paths when sanitizing URLs (#41995)

* Handle relative paths when sanitizing URLs In the initial PR(#41665) we didn't handle the relative path in URL which led to issue(#41977). This PR aims at handling the relative path case when sanitizing URLs * Add PR suggestions * Update code comment
apache · Sep 4, 2024 · 0429bf4 · 0429bf4
1 parent 7650f09
commit 0429bf4
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx b/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx
@@ -57,8 +57,14 @@ const ExtraLinks = ({
     if (!url) {
       return true;
     }
-    const urlRegex = /^(https?:)/i;
-    return urlRegex.test(url);
+    const path = new URL(url, "http://localhost");
+    // Allow Absolute/Relative URL and prevent javascript:() from executing when passed as path.
+    // Example - `javascript:alert("Hi");`. Protocol for absolute and relative urls will either be `http:`/`https:`.
+    // Where as for javascript it will be `javascript:`.
+    if (path.protocol === "http:" || path.protocol === "https:") {
+      return true; // Absolute/Relative URLs are allowed
+    }
+    return false;
   };
 
   return (