-
-
Notifications
You must be signed in to change notification settings - Fork 928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add homepage url to user profile #5240
base: master
Are you sure you want to change the base?
Add homepage url to user profile #5240
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5240 +/- ##
==========================================
- Coverage 96.85% 94.19% -2.67%
==========================================
Files 456 456
Lines 9517 9577 +60
==========================================
- Hits 9218 9021 -197
- Misses 299 556 +257 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't worry about the coverage change
<%= | ||
link_to( | ||
@user.homepage_url, | ||
@user.homepage_url, |
Check warning
Code scanning / CodeQL
Stored cross-site scripting Medium
stored value
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should consider something like HackerOne's "you're about to leave this site for ...". Github appends http://
to urls that don't have either http / https in the front, and they are probably doing more.
Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check. |
@martinemde Thanks for calling this out. I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL. There are some safeguards though.
which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks. However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357 What we can also do is with that
And then it will remove the href from the link and make it unclickable. But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark. |
I'm happy to see that our Content Security Policy is correctly enforced. We probably agree that we don't want to rely on only that. Can we write tests that ensure that no The validation for a link being allowed in a rubygem is this: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459 |
@@ -0,0 +1,10 @@ | |||
class HttpUrlValidator < ActiveModel::EachValidator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I read about how the URI validation occurs in the Ruby gem(https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459) and tried to mimic it since I figured we would want the same validations to happen in both places.
I extracted this validation into a custom validator because I knew that other URLs would eventually be added to the user profile, and we could establish a consistent way of validating the URLs.
Objective:
More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.
How to test part 1: Add form to the edit profile
https://yourwebsite.com
Note: I was told that the icon will show on production:
How to test part 2: Update the user profile to display the homepage URL
/profiles/new-user-username
How to test part 3: Navigate to
/dashboard