Validating provider description for urls in provider list view (#40475)

* Validating provider description for urls in provider list view * adding unit tests --------- Co-authored-by: adesai <adesai@cloudera.com>
apache · Jun 28, 2024 · f18f484 · f18f484
1 parent 26768d9
commit f18f484
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/airflow/www/views.py b/airflow/www/views.py
@@ -36,7 +36,7 @@
 from json import JSONDecodeError
 from pathlib import Path
 from typing import TYPE_CHECKING, Any, Collection, Iterator, Mapping, MutableMapping, Sequence
-from urllib.parse import unquote, urlencode, urljoin, urlsplit
+from urllib.parse import unquote, urlencode, urljoin, urlparse, urlsplit
 
 import configupdater
 import flask.json
@@ -4514,6 +4514,13 @@ def _clean_description(self, description):
         def _build_link(match_obj):
             text = match_obj.group(1)
             url = match_obj.group(2)
+
+            # parsing the url to check if ita a valid url
+            parsed_url = urlparse(url)
+            if not (parsed_url.scheme == "http" or parsed_url.scheme == "https"):
+                # returning the original raw text
+                return escape(match_obj.group(0))
+
             return Markup(f'<a href="{url}">{text}</a>')
 
         cd = escape(description)

diff --git a/tests/www/views/test_views.py b/tests/www/views/test_views.py
@@ -23,6 +23,7 @@
 from unittest.mock import patch
 
 import pytest
+from markupsafe import Markup
 
 from airflow import __version__ as airflow_version
 from airflow.configuration import (
@@ -33,6 +34,7 @@
 from airflow.plugins_manager import AirflowPlugin, EntryPointSource
 from airflow.utils.task_group import TaskGroup
 from airflow.www.views import (
+    ProviderView,
     build_scarf_url,
     get_key_paths,
     get_safe_url,
@@ -142,6 +144,37 @@ def test_should_list_providers_on_page_with_details(admin_client):
     check_content_in_response("Providers", resp)
 
 
+@pytest.mark.parametrize(
+    "provider_description, expected",
+    [
+        ("`Airbyte <https://airbyte.com/>`__", Markup('<a href="https://airbyte.com/">Airbyte</a>')),
+        (
+            "Amazon integration (including `Amazon Web Services (AWS) <https://aws.amazon.com/>`__).",
+            Markup(
+                'Amazon integration (including <a href="https://aws.amazon.com/">Amazon Web Services ('
+                "AWS)</a>)."
+            ),
+        ),
+        (
+            "`Java Database Connectivity (JDBC) <https://docs.oracle.com/javase/8/docs/technotes/guides/jdbc"
+            "/>`__",
+            Markup(
+                '<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/jdbc/">Java '
+                "Database Connectivity (JDBC)</a>"
+            ),
+        ),
+        (
+            "`click me <javascript:prompt(document.domain)>`__",
+            Markup("`click me &lt;javascript:prompt(document.domain)&gt;`__"),
+        ),
+    ],
+)
+def test__clean_description(admin_client, provider_description, expected):
+    p = ProviderView()
+    actual = p._clean_description(provider_description)
+    assert actual == expected
+
+
 def test_endpoint_should_not_be_unauthenticated(app):
     resp = app.test_client().get("/provider", follow_redirects=True)
     check_content_not_in_response("Providers", resp)