Skip to content

feat: check against urls with path #6416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 69 commits into
base: main
Choose a base branch
from
Open

feat: check against urls with path #6416

wants to merge 69 commits into from

Conversation

imblue-dabadee
Copy link
Contributor

@imblue-dabadee imblue-dabadee commented Aug 29, 2025
edited
Loading

Explanation

There has been an advent of sites such as sites.google.com being used maliciously that bypass the checks as they contain an allowlisted hostname. This PR aims to enable the Phishing Controller to block URL paths so that we can maintain the same allowlist but also block malicious websites that use allowlisted hostnames.

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
  • I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

@imblue-dabadee imblue-dabadee requested a review from a team as a code owner August 29, 2025 04:15
@imblue-dabadee imblue-dabadee marked this pull request as draft August 29, 2025 04:15
@imblue-dabadee imblue-dabadee marked this pull request as ready for review August 29, 2025 21:33
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

AugmentedMode
AugmentedMode reviewed Sep 15, 2025
View reviewed changes
eslint-warning-thresholds.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We shouldn't be modifying this file should we ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey there! This file gets automatically updated when you run yarn lint, it's okay to modify and commit this. The goal of this file is to track how many lint warnings there are so we can slowly remove them (it's a tech debt kind of thing). Only thing I would say is that the numbers in this file should go down.

packages/phishing-controller/src/utils.ts Outdated
urlPaths: Record<string, Record<string, Record<string, string[]>>>,
) => {
const urlWithProtocol = url.startsWith('http') ? url : `https://${url}`;
const { hostname, pathname } = new URL(urlWithProtocol);
Copy link
Contributor

@AugmentedMode AugmentedMode Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

new URL() throws on bad input. Should we wrap this with a try/catch?

AugmentedMode
AugmentedMode reviewed Sep 15, 2025
View reviewed changes
packages/phishing-controller/src/PhishingController.ts Outdated
export type PhishingListState = {
allowlist: string[];
blocklist: string[];
blocklistPaths: Record<string, Record<string, Record<string, string[]>>>;
Copy link
Contributor

@AugmentedMode AugmentedMode Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think about a type like this instead for better readability

type PathBlockNode = {
  isBlocked: boolean;          
  blockAllSubpaths: boolean;    
  children: Record<string, PathBlockNode>;  
};

type BlocklistPaths = Record<string, PathBlockNode>;

imblue-dabadee and others added 5 commits September 18, 2025 10:53
@imblue-dabadee
fix: remove blocklist separation in getDefaultPhishingDetectorConfig
03714bc 
- We can assume that whenever config is given to this function, that separateBlocklistEntries has already been called so this would be unnecessary to do.
@imblue-dabadee
chore: redundant return variable
80882f7
@imblue-dabadee
test: update tests
5de9179
@imblue-dabadee
fix: lint issues
ed9a836
@imblue-dabadee
Merge branch 'main' into feat/check-against-urls-with-path
9368c52
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@imblue-dabadee imblue-dabadee requested a review from a team as a code owner September 26, 2025 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcmire mcmire mcmire left review comments

@AugmentedMode AugmentedMode AugmentedMode left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@imblue-dabadee @mcmire @AugmentedMode