[Vis Tools] Code Cleanup #5947
[Vis Tools] Code Cleanup #5947
Conversation
Summary of ChangesHello @juliawu, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing code quality and security. It optimizes D3 map rendering by transitioning from iterative class removal to more efficient CSS selector-based operations and significantly strengthens the URL sanitization utility to better protect against various forms of malicious URL inputs, incorporating feedback from prior reviews. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request includes some nice cleanups. The refactoring in draw_d3_map.ts to use D3's CSS selector capabilities instead of loops is a great improvement for both performance and code clarity. The update to sanitizeSourceUrl to use the URL API is also a good move towards a more robust implementation. I've found a potential security issue in the new sanitization logic where it might not correctly block all malicious URLs, and I've left a comment with a suggested fix. The new test cases were very helpful in identifying this.
static/js/shared/util.ts
Outdated
| const blockedKeywords = ["javascript:", "vbscript:", "data:"]; | ||
|
|
||
| // Block unsafe protocols | ||
| if (blockedKeywords.includes(parsed.protocol.toLowerCase())) { | ||
| return ""; | ||
| } | ||
|
|
||
| // Check for script injection in the HOSTNAME | ||
| if (blockedKeywords.includes(parsed.hostname.toLowerCase())) { | ||
| return ""; | ||
| } |
There was a problem hiding this comment.
The current implementation has a potential security flaw. The blockedKeywords array includes colons, which means the check against parsed.hostname will not work as intended. For example, for the URL http://vbscript:alert(1), parsed.hostname is vbscript, and blockedKeywords.includes('vbscript') will be false, allowing the URL to pass. To fix this, I suggest removing the colons from blockedKeywords and adjusting the protocol check accordingly to correctly block unsafe hostnames.
| const blockedKeywords = ["javascript:", "vbscript:", "data:"]; | |
| // Block unsafe protocols | |
| if (blockedKeywords.includes(parsed.protocol.toLowerCase())) { | |
| return ""; | |
| } | |
| // Check for script injection in the HOSTNAME | |
| if (blockedKeywords.includes(parsed.hostname.toLowerCase())) { | |
| return ""; | |
| } | |
| const blockedKeywords = ["javascript", "vbscript", "data"]; | |
| // Block unsafe protocols | |
| if (blockedKeywords.includes(parsed.protocol.slice(0, -1).toLowerCase())) { | |
| return ""; | |
| } | |
| // Check for script injection in the HOSTNAME | |
| if (blockedKeywords.includes(parsed.hostname.toLowerCase())) { | |
| return ""; | |
| } |
There was a problem hiding this comment.
The current code correctly blocks the "http://vbscript:alert(1)" test case, but I've updated the test to explicitly look for hostnames without colons.
static/js/shared/util.ts
Outdated
| const blockedHostnames = ["javascript", "vbscript", "data"]; | ||
| if (blockedHostnames.includes(parsed.hostname.toLowerCase())) { | ||
| return ""; | ||
| } |
There was a problem hiding this comment.
this block isn't necessary, since those won't parse if invalid
javascript.com is fine, javascript: isn't. the latter will throw a parse error
There was a problem hiding this comment.
Good call out, removed this block.
There was a problem hiding this comment.
Also added javascript.com as a test case
static/js/shared/util.ts
Outdated
| const blockedProtocols = ["javascript:", "vbscript:", "data:"]; | ||
| if (blockedProtocols.includes(parsed.protocol.toLowerCase())) { | ||
| return ""; | ||
| } |
There was a problem hiding this comment.
maybe the reverse instead: check for http and https only, return blank in all other cases.
but, this is already done above though (155-158) so unnecessary to do again here.
There was a problem hiding this comment.
Good call out, removed this block and added a clarifying comment so the implicit protocol block mechanism is more clear
static/js/shared/util.ts
Outdated
| trimmedUrl.toLowerCase().startsWith("http://") || | ||
| trimmedUrl.toLowerCase().startsWith("https://") | ||
| ? trimmedUrl | ||
| : "https://" + trimmedUrl; |
There was a problem hiding this comment.
avoid calling toLowercase so many times throughout the function
There was a problem hiding this comment.
Now that the explicit checks are removed, toLowercase is no longer needed. Removed.
|
@beets thanks for the comments, I think the sanitization function is much cleaner now! |
2 participants
This PR addresses reviewer comments from #5933 and #5934 that I missed addressing before they got merged. The changes are: