Skip to content

Commit

Permalink
fix(security): clean url from trame search params
Browse files Browse the repository at this point in the history
  • Loading branch information
@jourdain
jourdain committed Aug 15, 2024
1 parent b3599d6 commit f0e093b
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ Trame client is the JS core of trame and can be tuned by url parameters. The tab
- When set this will load an extra script that will use a service worker to enable SharedArrayBuffer
* - ui
- Layout name selector. When a trame app define several layout with different name, you can choose which layout should be displayed
* - remove
- By default the URL will be cleaned from trame config parameters (sessionURL, sessionManagerURL, secret, application) but if additional parameters should be removed as well but used in the launcher config, this can be achieved by adding a `&remove=param1,param2`.

The table below leverage environment variables, mainly for the Jupyter Lab context and the iframe builder configuration.

Expand Down
15 changes: 15 additions & 0 deletions vue2-app/src/components/Connect/wslink/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,21 @@ function getClient(name) {
);
}

// Remove any URL parameters once config generated
const params = new URL(window.location).searchParams;
const paramsToClean = [
"sessionURL",

Check failure on line 125 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"sessionURL"` with `'sessionURL'`

Check failure on line 125 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"sessionURL"` with `'sessionURL'`
"sessionManagerURL",

Check failure on line 126 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"sessionManagerURL"` with `'sessionManagerURL'`

Check failure on line 126 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"sessionManagerURL"` with `'sessionManagerURL'`
"secret",

Check failure on line 127 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"secret"` with `'secret'`

Check failure on line 127 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"secret"` with `'secret'`
"application",

Check failure on line 128 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"application"` with `'application'`

Check failure on line 128 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"application"` with `'application'`
"remove",

Check failure on line 129 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"remove"` with `'remove'`

Check failure on line 129 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"remove"` with `'remove'`
].concat(params.get("remove")?.split(",") || []);

Check failure on line 130 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `"remove")?.split(","` with `'remove')?.split(','`

Check failure on line 130 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `"remove")?.split(","` with `'remove')?.split(','`
paramsToClean.forEach((v) => params.delete(v));
const cleanURL = `${window.location.pathname}${

Check failure on line 132 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / Pytest Linux 

Replace `⏎····params.size·?·"?"·:·""⏎··}${params.toString()}${window.location.hash` with `params.size·?·'?'·:·''}${params.toString()}${⏎····window.location.hash⏎··`

Check failure on line 132 in vue2-app/src/components/Connect/wslink/index.js

View workflow job for this annotation

GitHub Actions / test-npm-build 

Replace `⏎····params.size·?·"?"·:·""⏎··}${params.toString()}${window.location.hash` with `params.size·?·'?'·:·''}${params.toString()}${⏎····window.location.hash⏎··`
params.size ? "?" : ""
}${params.toString()}${window.location.hash}`;
window.history.replaceState({}, document.title, cleanURL);

return client;
}

Expand Down
15 changes: 15 additions & 0 deletions vue3-app/src/main.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,21 @@ async function start() {
useUrl: true,
});

// Clean URL params once config is generated
const params = new URL(window.location).searchParams;
const paramsToClean = [
"sessionURL",
"sessionManagerURL",
"secret",
"application",
"remove",
].concat(params.get("remove")?.split(",") || []);
paramsToClean.forEach((v) => params.delete(v));
const cleanURL = `${window.location.pathname}${
params.size ? "?" : ""
}${params.toString()}${window.location.hash}`;
window.history.replaceState({}, document.title, cleanURL);

// Handle connection
trame.addConnectListener(() => {
trame.client.onConnectionError((httpReq) => {
Expand Down

0 comments on commit f0e093b

Please sign in to comment.