Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add homepage url to user profile #5240

Open
wants to merge 37 commits into
base: master
Choose a base branch
from

Conversation

jacklynhma
Copy link
Contributor

@jacklynhma jacklynhma commented Nov 15, 2024

Objective:

  1. Add form to the edit profile
  2. Update the user profile to display the homepage URL
  3. Display the homepage URL on the dashboard
  4. Display confirmation dialog prior to redirecting user to homepage URL
  5. Truncate long homepage URLs

More context: This PR opened during the Ruby Conf Hack day. After speaking with Martin, it was decided that I add a basic homepage URL that can later be iterated on for future social media links.

How to test part 1: Add form to the edit profile

  • Login
  • On the upper right click the drop-down menu
  • Click Edit Profile
  • Add your homepage with the format https://yourwebsite.com
  • Add your password
  • Submit form
  • You should see the below image
    Note: I was told that the icon will show on production:
Screenshot 2024-11-14 at 17 59 50

How to test part 2: Update the user profile to display the homepage URL

  • Create a user
  • Login as a ruby gem user and navigate to /profiles/new-user-username
  • You should see the new image:
Screenshot 2024-12-14 at 12 41 48

How to test part 3: Navigate to /dashboard

  • You should see the below image with the homepage listed
Screenshot 2024-12-14 at 12 42 03

app/models/user.rb Outdated Show resolved Hide resolved
Copy link

codecov bot commented Nov 15, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.38%. Comparing base (96cba03) to head (6e3f245).

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #5240      +/-   ##
==========================================
- Coverage   97.14%   94.38%   -2.76%     
==========================================
  Files         458      460       +2     
  Lines        9584     9654      +70     
==========================================
- Hits         9310     9112     -198     
- Misses        274      542     +268     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Member

@segiddins segiddins left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't worry about the coverage change

app/views/dashboards/_subject.html.erb Outdated Show resolved Hide resolved
app/views/profiles/show.html.erb Fixed Show resolved Hide resolved
@martinemde
Copy link
Member

Blocking temporarily while we make sure we're sanitizing the urls. I suspect that since we already allow urls from gems, this isn't a whole lot worse, but I want to double check.

@jacklynhma
Copy link
Contributor Author

@martinemde Thanks for calling this out.

I could be wrong, but while I was looking at the code, I did not see any sanitizing for the URL.

There are some safeguards though.

Screenshot 2024-11-21 at 16 55 02

which is tied to https://github.com/rubygems/rubygems.org/blob/master/config/initializers/content_security_policy.rb#L33 and which protects against XXS attacks.

However with this validation https://github.com/rubygems/rubygems.org/pull/5240/files#diff-9802ca3c9c4cf89904fd44bc114e35ebdf2c5dd3d5b645491e2b253e1afef29bR357
It looks like the code does prevent javascript:alert('XSS'); from even being submitted
https://github.com/mdespuits/validates_formatting_of/blob/664b7c8b1ae8c9016549944fc833737c74f1d752/lib/validates_formatting_of/method.rb#L19
So something like this will be caught and the below error message will show:
Screenshot 2024-11-21 at 16 33 36

What we can also do is with that sanitize method

      sanitize( link_to(
         user.homepage_url,
         user.homepage_url,
        rel: "nofollow"
      ), tags: %w(a), attributes: %w(href rel))

And then it will remove the href from the link and make it unclickable.
Screenshot 2024-11-21 at 17 18 30

But I understand that true sanitizing would remove everything we don't want in the string. I could also look into this. Please let me know how you would like me to proceed or if I am completely off the mark.

@martinemde
Copy link
Member

I'm happy to see that our Content Security Policy is correctly enforced. We probably agree that we don't want to rely on only that.

Can we write tests that ensure that no data: javascript: file: or similar urls are allowed? That's a good start.

The validation for a link being allowed in a rubygem is this: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/specification_policy.rb#L450-L459

<%= icon_tag("link", color: :primary, class: "w-6 text-orange mr-3") %>
<p class="text-neutral-800 dark:text-white"><%=
link_to(
truncate(user.homepage_url, length: 20),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taking into account really long homepage URLs.
I chose length 20 because I saw that is the length we limit our Twitter username

Before:

Screenshot 2024-11-21 at 16 33 36

After

Screenshot 2024-12-03 at 13 54 54 Screenshot 2024-12-03 at 13 55 07

@jacklynhma
Copy link
Contributor Author

#5240 (comment)
#5240 (comment)
@martinemde After rereading your above messages, I think below are the use cases you are expecting. Please let me know and I can update the code. Thank you for your feedback.

User Enters in homepage URL Expected outcome
www.userhomepage.com http://www.userhomepage.com
javascript:alert('hello') Error message rendered, record is not updated
file:///etc/passwd Error message rendered, record is not updated
http://javascript:alert('hello') Error message rendered, record is not updated
http://www.userhomepage.com http://www.userhomepage.com
https://www.userhomepage.com https://www.userhomepage.com

app/views/profiles/show.html.erb Outdated Show resolved Hide resolved
app/views/profiles/show.html.erb Fixed Show resolved Hide resolved
@martinemde
Copy link
Member

I think these are being flagged "correctly", in that it's a valid concern. Ultimately it could be that we're validating the inputs correctly but we should take whatever care is necessary to also convince the security bots that we are not doing something dumb.

@jacklynhma jacklynhma force-pushed the add_homepage_url_to_user_profile branch 2 times, most recently from 478a638 to 6372897 Compare December 14, 2024 17:56
@@ -1,7 +1,7 @@
require "application_system_test_case"
require "test_helper"

class ProfileTest < ApplicationSystemTestCase
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When running tests locally, I receive the below error: Screenshot 2024-12-13 at 21 56 42

I realize this is a bug I created in a previous PR since I used the same class name. Changing the file to another name allowed the tests to run.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving this to its own PR #5366

@jacklynhma jacklynhma force-pushed the add_homepage_url_to_user_profile branch 2 times, most recently from e22adda to 7fcdc6b Compare December 15, 2024 04:09
@jacklynhma
Copy link
Contributor Author

jacklynhma commented Dec 15, 2024

@martinemde I was able to get the brakeman build to pass by prepending https:// to the urls just in case in the future the model changes by accident and adding your suggestion to add h() 🥳

@jacklynhma jacklynhma force-pushed the add_homepage_url_to_user_profile branch from 59de7fa to 6e3f245 Compare December 26, 2024 20:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

3 participants