Page MenuHomePhabricator
Create Task
Maniphest T277979

urlRegex frontend validation is fragile
Closed, ResolvedPublic
Actions

Description

The simplified regex that is used in the ui to validate URL inputs is fragile. I amended it in https://gerrit.wikimedia.org/r/c/wikimedia/toolhub/+/670413/12..13/vue/src/plugins/url-regex.js to add : as a valid character in the path segment of the URL, but I can see that the regex is going to consider many other valid urls invalid still.

Replacing this with a validation function like the one presented at https://stackoverflow.com/a/43467144/8171 may be more robust. This would require some additional refactoring as well.

Details

SubjectRepoBranchLines +/-
toolhub: Bump container version to 2022-03-15-002555-productionoperations/deployment-chartsmaster+1 -1
ui: Replace URL validation regex with native parserwikimedia/toolhubmain+79 -10
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedBUG REPORTbd808T298725 Toolhub URL field doesn't accept Cyrillic characters
 Resolvedbd808T277979 urlRegex frontend validation is fragile

Event Timeline

bd808 created this task.Mar 19 2021, 11:00 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 19 2021, 11:00 PM
Raymond_Ndibe moved this task from Backlog to Groomed/Ready on the Toolhub board.Dec 8 2021, 6:52 PM
Raymond_Ndibe moved this task from Groomed/Ready to Backlog on the Toolhub board.Dec 8 2021, 6:56 PM
Raymond_Ndibe subscribed.Dec 22 2021, 5:25 PM

There seems to be some concerns regarding the stackoverflow answer linked above. that solution seems to accept certain false positives. E.g. we are only really interested in https or http but that solution will allow other protocols, and will accept a host of other weird things provided they are adhere to the rfc 3886 standard

bd808 added a comment.Dec 22 2021, 9:31 PM
In T277979#7586066, @Raymond_Ndibe wrote:

There seems to be some concerns regarding the stackoverflow answer linked above. that solution seems to accept certain false positives. E.g. we are only really interested in https or http but that solution will allow other protocols, and will accept a host of other weird things provided they are adhere to the rfc 3886 standard

I'm not sure that the version I'm looking at has the problems you are concerned with:

function isValidHttpUrl(string) {
  let url;
  
  try {
    url = new URL(string);
  } catch (_) {
    return false;  
  }

  return url.protocol === "http:" || url.protocol === "https:";
}

Note the check of the protocol as part of the full validation.

Reedy mentioned this in T298725: Toolhub URL field doesn't accept Cyrillic characters.Jan 6 2022, 7:58 PM
Reedy added a parent task: T298725: Toolhub URL field doesn't accept Cyrillic characters.
bd808 changed the task status from Open to In Progress.Jan 6 2022, 8:56 PM
bd808 claimed this task.
bd808 moved this task from Backlog to In Progress on the Toolhub board.

T298725: Toolhub URL field doesn't accept Cyrillic characters makes this more immediately an issue and much less abstract.

Restricted Application added a project: User-bd808. · View Herald TranscriptJan 6 2022, 8:56 PM
bd808 added a comment.Jan 6 2022, 11:54 PM

I found a couple of tiny issues with the proposed implementation from T277979#7586574:

  • It allows whitespace in the URL's path and query string which the Django regex rejects.
    • This seems simple enough to add an additional check for in the js validation.
  • It allows a variety of values in the URL's host that are rejected by the Django regex.
    • I think our prior regex did as well actually.
gerritbot added a comment.Jan 7 2022, 12:46 AM

Change 752042 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] ui: Replace URL validation regex with native parser

https://gerrit.wikimedia.org/r/752042

gerritbot added a project: Patch-For-Review.Jan 7 2022, 12:46 AM
bd808 moved this task from To Do to Needs Review/Feedback on the User-bd808 board.Jan 8 2022, 12:10 AM
gerritbot added a comment.Jan 10 2022, 2:14 PM

Change 752042 merged by jenkins-bot:

[wikimedia/toolhub@main] ui: Replace URL validation regex with native parser

https://gerrit.wikimedia.org/r/752042

Maintenance_bot removed a project: Patch-For-Review.Jan 10 2022, 3:10 PM
bd808 moved this task from In Progress to Review on the Toolhub board.Jan 11 2022, 8:35 PM
bd808 closed this task as Resolved.Jan 31 2022, 8:06 PM
gerritbot added a comment.Mar 15 2022, 12:34 AM

Change 770638 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[operations/deployment-charts@master] toolhub: Bump container version to 2022-03-15-002555-production

https://gerrit.wikimedia.org/r/770638

gerritbot added a project: Patch-For-Review.Mar 15 2022, 12:34 AM
gerritbot added a comment.Mar 15 2022, 4:51 PM

Change 770638 merged by jenkins-bot:

[operations/deployment-charts@master] toolhub: Bump container version to 2022-03-15-002555-production

https://gerrit.wikimedia.org/r/770638

Maintenance_bot removed a project: Patch-For-Review.Mar 15 2022, 5:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits