From 0429bf4e2839f66433d0abfa9c8c6dff6568e965 Mon Sep 17 00:00:00 2001
From: Utkarsh Sharma <utkarsharma2@gmail.com>
Date: Wed, 4 Sep 2024 22:28:41 +0530
Subject: [PATCH] Handle relative paths when sanitizing URLs (#41995)

* Handle relative paths when sanitizing URLs

In the initial PR(https://github.com/apache/airflow/pull/41665) we didn't handle the relative path in URL which led to issue(https://github.com/apache/airflow/issues/41977). This PR aims at handling the relative path case when sanitizing URLs

* Add PR suggestions

* Update code comment
---
 .../static/js/dag/details/taskInstance/ExtraLinks.tsx  | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx b/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx
index 06528eab6e7a1..ec44cd920d1f6 100644
--- a/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx
+++ b/airflow/www/static/js/dag/details/taskInstance/ExtraLinks.tsx
@@ -57,8 +57,14 @@ const ExtraLinks = ({
     if (!url) {
       return true;
     }
-    const urlRegex = /^(https?:)/i;
-    return urlRegex.test(url);
+    const path = new URL(url, "http://localhost");
+    // Allow Absolute/Relative URL and prevent javascript:() from executing when passed as path.
+    // Example - `javascript:alert("Hi");`. Protocol for absolute and relative urls will either be `http:`/`https:`.
+    // Where as for javascript it will be `javascript:`.
+    if (path.protocol === "http:" || path.protocol === "https:") {
+      return true; // Absolute/Relative URLs are allowed
+    }
+    return false;
   };
 
   return (