Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Small cleanups #1285

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Small cleanups #1285

wants to merge 4 commits into from

Conversation

csillag
Copy link
Contributor

@csillag csillag commented Feb 21, 2024

Copy link

github-actions bot commented Feb 21, 2024

Deployed to Cloudflare Pages

Latest commit: efc81f54a7b4cbcef1a14b1c59fd1bee6bb80129
Status:✅ Deploy successful!
Preview URL: https://bdc49c44.oasis-explorer.pages.dev

@csillag csillag force-pushed the csillag/small-cleanups branch from 6e46b66 to 2a22b11 Compare February 21, 2024 17:58
@csillag csillag marked this pull request as ready for review February 21, 2024 17:59
src/app/utils/url.ts Show resolved Hide resolved
@@ -40,7 +41,7 @@ export const SnapshotCardExternalLink: FC<SnapshotCardExternalLinkProps> = ({
>
{description}
</Typography>
{url && hasValidProtocol(url) && (
{url && (hasValidProtocol(url) || url.startsWith('mailto:')) && (
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a good solution

(unimportant note: you are not using emailAccepted)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(unimportant note: you are not using emailAccepted)

This part has been fixed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a good solution

What would you consider a good solution, instead of prop for the general purpose component?

Maybe a separate component used for displaying safe links?

Copy link
Member

@lukaw3d lukaw3d Feb 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code should make it obvious if it is safe. Right now you have to trace through the code to check if emailAccepted is only used with safe sources of URLs.

Better options:

  • all our components should have a safe interface
    • sanitize/block malicious mail links in our components that allow urls
    • whitelist externalLinks and block all other mail links
    • block all mail links in our components. Pass pontusx mail link directly to the unsafe Button component (<Button href=externalLinks... makes it clear that it comes from a safe source)
    • block mail links and display pontusx email address instead
  • all sources of links should be made safe. Sanitize malicious links in api.ts

Remove "mailto:" from the list of valid protocols,
because it can be unsafe to click on mailto links.

Supporting mailto: links can enable malicious URLs like
javascript: and mailto:?attach=.

We are trying to prevent that.

Instead, provide a special "emailAccepted" when we
know that the link is coming from a safe source,
like our code.
@csillag csillag force-pushed the csillag/small-cleanups branch from bb88cc9 to efc81f5 Compare February 21, 2024 18:48
Comment on lines +751 to +752
Amount: fromBaseUnits(event.body.Amount, paraTimesConfig[runtime].decimals),
Denomination: getTokensForScope({ network, layer: runtime })[0].ticker,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is more wrong

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix in #1539

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants