Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validating provider description for urls in provider list view #40475

Merged
merged 2 commits into from
Jun 28, 2024
Merged

Validating provider description for urls in provider list view #40475

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
076b79c
Validating provider description for urls in provider list view
Jun 28, 2024
075c9ae
adding unit tests
Jun 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion airflow/www/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
from json import JSONDecodeError
from pathlib import Path
from typing import TYPE_CHECKING, Any, Collection, Iterator, Mapping, MutableMapping, Sequence
from urllib.parse import unquote, urlencode, urljoin, urlsplit
from urllib.parse import unquote, urlencode, urljoin, urlparse, urlsplit

import configupdater
import flask.json
Expand Down Expand Up @@ -4514,6 +4514,13 @@ def _clean_description(self, description):
def _build_link(match_obj):
text = match_obj.group(1)
url = match_obj.group(2)

# parsing the url to check if ita a valid url
parsed_url = urlparse(url)
if not (parsed_url.scheme == "http" or parsed_url.scheme == "https"):
# returning the original raw text
return escape(match_obj.group(0))

ephraimbuddy marked this conversation as resolved.
Show resolved Hide resolved
return Markup(f'<a href="{url}">{text}</a>')

cd = escape(description)
Expand Down
33 changes: 33 additions & 0 deletions tests/www/views/test_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
from unittest.mock import patch

import pytest
from markupsafe import Markup

from airflow import __version__ as airflow_version
from airflow.configuration import (
Expand All @@ -33,6 +34,7 @@
from airflow.plugins_manager import AirflowPlugin, EntryPointSource
from airflow.utils.task_group import TaskGroup
from airflow.www.views import (
ProviderView,
build_scarf_url,
get_key_paths,
get_safe_url,
Expand Down Expand Up @@ -142,6 +144,37 @@ def test_should_list_providers_on_page_with_details(admin_client):
check_content_in_response("Providers", resp)


@pytest.mark.parametrize(
"provider_description, expected",
[
("`Airbyte <https://airbyte.com/>`__", Markup('<a href="https://airbyte.com/">Airbyte</a>')),
(
"Amazon integration (including `Amazon Web Services (AWS) <https://aws.amazon.com/>`__).",
Markup(
'Amazon integration (including <a href="https://aws.amazon.com/">Amazon Web Services ('
"AWS)</a>)."
),
),
(
"`Java Database Connectivity (JDBC) <https://docs.oracle.com/javase/8/docs/technotes/guides/jdbc"
"/>`__",
Markup(
'<a href="https://docs.oracle.com/javase/8/docs/technotes/guides/jdbc/">Java '
"Database Connectivity (JDBC)</a>"
),
),
(
"`click me <javascript:prompt(document.domain)>`__",
Markup("`click me &lt;javascript:prompt(document.domain)&gt;`__"),
),
],
)
def test__clean_description(admin_client, provider_description, expected):
p = ProviderView()
actual = p._clean_description(provider_description)
assert actual == expected


def test_endpoint_should_not_be_unauthenticated(app):
resp = app.test_client().get("/provider", follow_redirects=True)
check_content_not_in_response("Providers", resp)
Expand Down