Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial implementation of azure blob container interface #1853

Open
wants to merge 24 commits into
base: main
Choose a base branch
from
Open

Initial implementation of azure blob container interface #1853

wants to merge 24 commits into from

Conversation

jrtcppv
Copy link
Member

@jrtcppv jrtcppv commented Oct 19, 2024

No description provided.

jrtcppv and others added 21 commits October 19, 2024 02:31
@jrtcppv
Initial implementation of azure blob container interface
d64f6d0
@jrtcppv
Add azure to pip requirements
be70ca4
@jrtcppv
Add ability to specify different redis port, password
53dd416
@jrtcppv
Fix redis connection in workers
db7ccbc
@jrtcppv
Fix double slash in sas token urls
80e61fb
@jrtcppv
Include add permission in SAS tokens
838da7d
@jrtcppv
Update tator-js submodule
21e65aa
@jrtcppv
Fix redis connection in worker
a818402
@jrtcppv
Get multipart uploads working
d6728a5
@jrtcppv
Update tator-py submodule
5bbafe5
@jrtcppv
Update tator-py submodule
0c6b9db
@jrtcppv
Update tator submodule
b81b983
@bctcvai
Fix multiplayback issues
7d22885
@bctcvai
Fix formatting
18d3eb6
@jrtcppv
Add x-ms-blob-type header for other upload path
d93958f
@jrtcppv
Load states for primary video instead of first video in multis
d5bc096
@jrtcppv
Add azure storage blob pypi package to tator client image
50d3d46
@jrtcppv
Formatting
82ded48
@bctcvai
Fix playback test for multi
829e430 
(cherry picked from commit b4a9466)
@jrtcppv
Update tator-py submodule
3127623
@jrtcppv
Fix azure single file upload header check
a1b068c
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 2, 2024
View reviewed changes
ui/src/js/components/inputs/feature/single-upload.js
@@ -49,10 +49,17 @@

// Uploads using a single request.
uploadSingle(info) {
let headers = {};
if (info.urls[0].includes("blob.core.windows.net")) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
blob.core.windows.net
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix AI about 9 hours ago

To fix the problem, we need to parse the URL and check the host explicitly rather than using a substring check. This ensures that the host is exactly what we expect and not just a part of a longer, potentially malicious URL.

The best way to fix this is to use the URL class available in modern JavaScript environments to parse the URL and then check the hostname property. We will replace the substring check with a check against a whitelist of allowed hosts.

Suggested changeset 1
ui/src/js/components/inputs/feature/single-upload.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ui/src/js/components/inputs/feature/single-upload.js b/ui/src/js/components/inputs/feature/single-upload.js
--- a/ui/src/js/components/inputs/feature/single-upload.js
+++ b/ui/src/js/components/inputs/feature/single-upload.js
@@ -52,3 +52,5 @@
     let headers = {};
-    if (info.urls[0].includes("blob.core.windows.net")) {
+    const url = new URL(info.urls[0]);
+    const allowedHosts = ["blob.core.windows.net"];
+    if (allowedHosts.includes(url.hostname)) {
       headers = {
EOF
@@ -52,3 +52,5 @@
let headers = {};
if (info.urls[0].includes("blob.core.windows.net")) {
const url = new URL(info.urls[0]);
const allowedHosts = ["blob.core.windows.net"];
if (allowedHosts.includes(url.hostname)) {
headers = {
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrtcppv @bctcvai