-
-
Notifications
You must be signed in to change notification settings - Fork 932
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add homepage url to user profile #5240
base: master
Are you sure you want to change the base?
Add homepage url to user profile #5240
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5240 +/- ##
==========================================
- Coverage 97.14% 94.38% -2.76%
==========================================
Files 458 460 +2
Lines 9584 9654 +70
==========================================
- Hits 9310 9112 -198
- Misses 274 542 +268 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't worry about the coverage change
Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check. |
@martinemde Thanks for calling this out. I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL. There are some safeguards though.
which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks. However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357 What we can also do is with that
And then it will remove the href from the link and make it unclickable. But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark. |
I'm happy to see that our Content Security Policy is correctly enforced. We probably agree that we don't want to rely on only that. Can we write tests that ensure that no The validation for a link being allowed in a rubygem is this: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459 |
<%= icon_tag("link", color: :primary, class: "w-6 text-orange mr-3") %> | ||
<p class="text-neutral-800 dark:text-white"><%= | ||
link_to( | ||
truncate(user.homepage_url, length: 20), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#5240 (comment)
|
I think these are being flagged "correctly", in that it's a valid concern. Ultimately it could be that we're validating the inputs correctly but we should take whatever care is necessary to also convince the security bots that we are not doing something dumb. |
478a638
to
6372897
Compare
@@ -1,7 +1,7 @@ | |||
require "application_system_test_case" | |||
require "test_helper" | |||
|
|||
class ProfileTest < ApplicationSystemTestCase |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving this to its own PR #5366
e22adda
to
7fcdc6b
Compare
@martinemde I was able to get the brakeman build to pass by prepending |
…n dialog prior to redirect
59de7fa
to
6e3f245
Compare
Objective:
More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.
How to test part 1: Add form to the edit profile
https://yourwebsite.com
Note: I was told that the icon will show on production:
How to test part 2: Update the user profile to display the homepage URL
/profiles/new-user-username
How to test part 3: Navigate to
/dashboard