Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

feat($sanitize): Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter #16102

Merged
merged 7 commits into from
Oct 11, 2017

Conversation

XFree
Copy link
Contributor

@XFree XFree commented Jul 12, 2017

… SanitizeUriProvider

Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
feature

What is the current behavior? (You can also link to an open issue here)
sftp not suported

What is the new behavior (if this is a feature change)?
sftp suported

Does this PR introduce a breaking change?
no

Please check if the PR fulfills these requirements

Other information:

… SanitizeUriProvider

Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter
@XFree
Copy link
Contributor Author

XFree commented Jul 12, 2017

I do not understand why the build is falling

@Narretz
Copy link
Contributor

Narretz commented Jul 13, 2017

Hi, the build error is unrelated to your PR. We are looking into it.

@Narretz Narretz added this to the Backlog milestone Jul 13, 2017
@XFree
Copy link
Contributor Author

XFree commented Jul 13, 2017

@Narretz, Tell me please, where are the rules for adding to the documentation about the fixes.

@Narretz
Copy link
Contributor

Narretz commented Jul 13, 2017

@XFree the docs are in the code files themselves. However, it looks like the default whitelist is not documented. The docs for linky are here: https://github.com/angular/angular.js/blob/master/src/ngSanitize/filter/linky.js

Btw, the scope for this should be feat($sanitize) ... as $$SanitizeUriProvider is a private service.

@XFree XFree changed the title fix($$SanitizeUriProvider): Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter fix($sanitize): Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter Jul 13, 2017
@XFree XFree changed the title fix($sanitize): Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter feat($sanitize): Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter Jul 13, 2017
@Narretz
Copy link
Contributor

Narretz commented Aug 3, 2017

Could you please add (s)ftp tests to linky and info the linky docs that sftp is supported?

@XFree
Copy link
Contributor Author

XFree commented Aug 15, 2017

@Narretz,
Is the documentation generated automatically?
I did not really understand how to properly arrange the documentation.

@Narretz
Copy link
Contributor

Narretz commented Sep 6, 2017

@XFree the docs are created from the comments around the functions, e.g.

* @description
* Finds links in text input and turns them into html links. Supports `http/https/ftp/mailto` and
* plain email address links.

@XFree
Copy link
Contributor Author

XFree commented Sep 7, 2017

@Narretz , Oh. Thank you.

@Narretz
Copy link
Contributor

Narretz commented Sep 18, 2017

@mprobst / @rjamet could one of you have a quick look at this security related PR? It's very straightforward, I just wanna follow protocol. :)

@rjamet
Copy link
Contributor

rjamet commented Sep 19, 2017

Is there any browser with built-in support of sftp?...

That looks safe, and so I'm okay with merging, but I think that might be better suited as an additional config knob that gets set in the application itself.

SFTP matches the idea of fetching stuff at the end of a link, so I think it's reasonable. But if we allow sftp, then you could push that logic to ssh://, magnet://, onion:// and a more which would be surprising for devs who didn't explicitly allow those. In all of those cases, I'd rather see something like linkyProvider.allowProtocols("sftp://") / $compileProvider.allowProtocols("sftp://") in the config phase of the application: this way, you don't change the default, and if you need to use these protocols, then two lines are enough to enable them app-wide.

@XFree
Copy link
Contributor Author

XFree commented Sep 19, 2017

@rjamet , In this case, when this need to do this for https, but this is beyond the scope of this PR.
sftp implemented like https. I agree that in the future it is necessary to make the setting more flexible

var aHrefSanitizationWhitelist = /^\s*(https?|ftp|mailto|tel|file):/,
imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/;
var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/,
imgSrcSanitizationWhitelist = /^\s*((https?|s?ftp|file|blob):|data:image\/)/;
Copy link
Contributor

@rjamet rjamet Sep 19, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I missed this, sorry: is there a reason you're updating imgSrc too? I can see how navigational links could work, but if browsers don't support the protocol, images and such wouldn't work at all (Chrome seems to complain with Failed to load resource: net::ERR_UNKNOWN_URL_SCHEME at least).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fix it.

@rjamet
Copy link
Contributor

rjamet commented Sep 20, 2017

LGTM security-wise, I'll let the Angular team decide for the rest.

@XFree
Copy link
Contributor Author

XFree commented Sep 21, 2017

I do not understand what the problems are with CI?

@gkalpak
Copy link
Member

gkalpak commented Sep 21, 2017

commitplease was unable to validate the commit messages (didn't really looked into why). Given that this is the only test that failed, I think it is fine to ignore the CI failure.

@XFree
Copy link
Contributor Author

XFree commented Sep 27, 2017

When will Pull request be merged? =)

@Narretz Narretz merged commit 5f76bc6 into angular:master Oct 11, 2017
Narretz pushed a commit that referenced this pull request Oct 11, 2017
…protocol in links

Add support for the sftp protocol in the linky filter and the "aHrefSanitizationWhitelist" that is used by $sanitize and can be configured in the $compileProvider.

Closes #16102
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants