Merge pull request #95 from cinlo/1.4

fix:validate region from url params to prevent xss attack
aws · Dec 11, 2024 · 84f6301 · 84f6301
2 parents 78bb728 + ba10cc1
commit 84f6301
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/patched-vscode/extensions/sagemaker-open-notebook-extension/src/extension.ts b/patched-vscode/extensions/sagemaker-open-notebook-extension/src/extension.ts
@@ -17,7 +17,18 @@ export function activate() {
 
 }
 
+function isValidRegion(region: string): boolean {
+    // This regex allows for characters, numbers, and hyphens
+    const regionRegex = /^[a-zA-Z0-9-]+$/;
+    return regionRegex.test(region);
+}
+
 async function loadAndDisplayNotebook(fileKey: string, clusterId: string, region: string) {
+    if (!isValidRegion(region)) {
+        vscode.window.showErrorMessage('Invalid region format. Region should only contain characters, numbers, and hyphens.');
+        return;
+    }
+
     const bucketName = `jumpstart-cache-prod-${region}`;
     const url = `https://${bucketName}.s3.${region}.amazonaws.com/${fileKey}`;
     try {

diff --git a/patches/sagemaker-open-notebook-extension.patch b/patches/sagemaker-open-notebook-extension.patch
@@ -162,7 +162,7 @@ Index: sagemaker-code-editor/vscode/extensions/sagemaker-open-notebook-extension
 ===================================================================
 --- /dev/null
 +++ sagemaker-code-editor/vscode/extensions/sagemaker-open-notebook-extension/src/extension.ts
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,91 @@
 +
 +import * as vscode from 'vscode';
 +import * as https from 'https';
@@ -182,7 +182,18 @@ Index: sagemaker-code-editor/vscode/extensions/sagemaker-open-notebook-extension
 +
 +}
 +
++function isValidRegion(region: string): boolean {
++    // This regex allows for characters, numbers, and hyphens
++    const regionRegex = /^[a-zA-Z0-9-]+$/;
++    return regionRegex.test(region);
++}
++
 +async function loadAndDisplayNotebook(fileKey: string, clusterId: string, region: string) {
++    if (!isValidRegion(region)) {
++        vscode.window.showErrorMessage('Invalid region format. Region should only contain characters, numbers, and hyphens.');
++        return;
++    }
++    
 +    const bucketName = `jumpstart-cache-prod-${region}`;
 +    const url = `https://${bucketName}.s3.${region}.amazonaws.com/${fileKey}`;
 +    try {