Always allow internal urls in Vega (#124705)

2025-04-23 01:13:23 -04:00 · 2022-02-08 15:04:25 +01:00 · 2022-02-08 15:04:25 +01:00 · ca9c004f1a
commit ca9c004f1a
parent 3f702c1fd4
13 changed files with 83 additions and 6 deletions
--- a/docs/development/core/public/kibana-plugin-core-public.iexternalurl.isinternalurl.md
+++ b/docs/development/core/public/kibana-plugin-core-public.iexternalurl.isinternalurl.md
@ -0,0 +1,24 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [IExternalUrl](./kibana-plugin-core-public.iexternalurl.md) &gt; [isInternalUrl](./kibana-plugin-core-public.iexternalurl.isinternalurl.md)
+
+## IExternalUrl.isInternalUrl() method
+
+Determines if the provided URL is an internal url.
+
+<b>Signature:</b>
+
+```typescript
+isInternalUrl(relativeOrAbsoluteUrl: string): boolean;
+```
+
+## Parameters
+
+|  Parameter | Type | Description |
+|  --- | --- | --- |
+|  relativeOrAbsoluteUrl | string |  |
+
+<b>Returns:</b>
+
+boolean
+
--- a/docs/development/core/public/kibana-plugin-core-public.iexternalurl.md
+++ b/docs/development/core/public/kibana-plugin-core-public.iexternalurl.md
@ -16,5 +16,6 @@ export interface IExternalUrl

 |  Method | Description |
 |  --- | --- |
+|  [isInternalUrl(relativeOrAbsoluteUrl)](./kibana-plugin-core-public.iexternalurl.isinternalurl.md) | Determines if the provided URL is an internal url. |
 |  [validateUrl(relativeOrAbsoluteUrl)](./kibana-plugin-core-public.iexternalurl.validateurl.md) | Determines if the provided URL is a valid location to send users. Validation is based on the configured allow list in kibana.yml.<!-- -->If the URL is valid, then a URL will be returned. Otherwise, this will return null. |

--- a/src/core/public/http/external_url_service.test.ts
+++ b/src/core/public/http/external_url_service.test.ts
@ -73,6 +73,23 @@ const internalRequestScenarios = [
 ];

 describe('External Url Service', () => {
+  describe('#isInternalUrl', () => {
+    const { setup } = setupService({
+      location: new URL('https://example.com/app/management?q=1&bar=false#some-hash'),
+      serverBasePath: '',
+      policy: [],
+    });
+
+    it('internal request', () => {
+      expect(setup.isInternalUrl('/')).toBeTruthy();
+      expect(setup.isInternalUrl('https://example.com/')).toBeTruthy();
+    });
+
+    it('external request', () => {
+      expect(setup.isInternalUrl('https://elastic.co/')).toBeFalsy();
+    });
+  });
+
  describe('#validateUrl', () => {
    describe('internal requests with a server base path', () => {
      const serverBasePath = '/base-path';
--- a/src/core/public/http/external_url_service.ts
+++ b/src/core/public/http/external_url_service.ts
@ -50,20 +50,33 @@ function normalizeProtocol(protocol: string) {
  return protocol.endsWith(':') ? protocol.slice(0, -1).toLowerCase() : protocol.toLowerCase();
 }

+const createIsInternalUrlValidation = (
+  location: Pick<Location, 'href'>,
+  serverBasePath: string
+) => {
+  return function isInternallUrl(next: string) {
+    const base = new URL(location.href);
+    const url = new URL(next, base);
+
+    return (
+      url.origin === base.origin &&
+      (!serverBasePath || url.pathname.startsWith(`${serverBasePath}/`))
+    );
+  };
+};
+
 const createExternalUrlValidation = (
  rules: IExternalUrlPolicy[],
  location: Pick<Location, 'href'>,
  serverBasePath: string
 ) => {
+  const isInternalUrl = createIsInternalUrlValidation(location, serverBasePath);
+
  return function validateExternalUrl(next: string) {
    const base = new URL(location.href);
    const url = new URL(next, base);

-    const isInternalURL =
-      url.origin === base.origin &&
-      (!serverBasePath || url.pathname.startsWith(`${serverBasePath}/`));
-
-    if (isInternalURL) {
+    if (isInternalUrl(next)) {
      return url;
    }

@ -90,6 +103,7 @@ export class ExternalUrlService implements CoreService<IExternalUrl> {
    const { policy } = injectedMetadata.getExternalUrlConfig();

    return {
+      isInternalUrl: createIsInternalUrlValidation(location, serverBasePath),
      validateUrl: createExternalUrlValidation(policy, location, serverBasePath),
    };
  }
--- a/src/core/public/http/http_service.mock.ts
+++ b/src/core/public/http/http_service.mock.ts
@ -36,6 +36,7 @@ const createServiceMock = ({
    isAnonymous: jest.fn(),
  },
  externalUrl: {
+    isInternalUrl: jest.fn(),
    validateUrl: jest.fn(),
  },
  addLoadingCountSource: jest.fn(),
--- a/src/core/public/http/types.ts
+++ b/src/core/public/http/types.ts
@ -110,6 +110,13 @@ export interface IBasePath {
 * @public
 */
 export interface IExternalUrl {
+  /**
+   * Determines if the provided URL is an internal url.
+   *
+   * @param relativeOrAbsoluteUrl
+   */
+  isInternalUrl(relativeOrAbsoluteUrl: string): boolean;
+
  /**
   * Determines if the provided URL is a valid location to send users.
   * Validation is based on the configured allow list in kibana.yml.
--- a/src/core/public/public.api.md
+++ b/src/core/public/public.api.md
@ -686,6 +686,7 @@ export interface IBasePath {

 // @public
 export interface IExternalUrl {
+    isInternalUrl(relativeOrAbsoluteUrl: string): boolean;
    validateUrl(relativeOrAbsoluteUrl: string): URL | null;
 }

--- a/src/plugins/dashboard/public/application/embeddable/empty_screen/snapshots/dashboard_empty_screen.test.tsx.snap
+++ b/src/plugins/dashboard/public/application/embeddable/empty_screen/snapshots/dashboard_empty_screen.test.tsx.snap
@ -19,6 +19,7 @@ exports[`DashboardEmptyScreen renders correctly with edit mode 1`] = `
      },
      "delete": [MockFunction],
      "externalUrl": Object {
+        "isInternalUrl": [MockFunction],
        "validateUrl": [MockFunction],
      },
      "fetch": [MockFunction],
@ -343,6 +344,7 @@ exports[`DashboardEmptyScreen renders correctly with readonly mode 1`] = `
      },
      "delete": [MockFunction],
      "externalUrl": Object {
+        "isInternalUrl": [MockFunction],
        "validateUrl": [MockFunction],
      },
      "fetch": [MockFunction],
@ -706,6 +708,7 @@ exports[`DashboardEmptyScreen renders correctly with view mode 1`] = `
      },
      "delete": [MockFunction],
      "externalUrl": Object {
+        "isInternalUrl": [MockFunction],
        "validateUrl": [MockFunction],
      },
      "fetch": [MockFunction],
--- a/src/plugins/home/public/application/components/snapshots/home.test.tsx.snap
+++ b/src/plugins/home/public/application/components/snapshots/home.test.tsx.snap
@ -396,6 +396,7 @@ exports[`home isNewKibanaInstance should set isNewKibanaInstance to true when th
          },
          "delete": [MockFunction],
          "externalUrl": Object {
+            "isInternalUrl": [MockFunction],
            "validateUrl": [MockFunction],
          },
          "fetch": [MockFunction],
@ -464,6 +465,7 @@ exports[`home isNewKibanaInstance should set isNewKibanaInstance to true when th
            },
            "delete": [MockFunction],
            "externalUrl": Object {
+              "isInternalUrl": [MockFunction],
              "validateUrl": [MockFunction],
            },
            "fetch": [MockFunction],
@ -533,6 +535,7 @@ exports[`home isNewKibanaInstance should set isNewKibanaInstance to true when th
          },
          "delete": [MockFunction],
          "externalUrl": Object {
+            "isInternalUrl": [MockFunction],
            "validateUrl": [MockFunction],
          },
          "fetch": [MockFunction],
--- a/src/plugins/saved_objects_management/public/management_section/objects_table/components/snapshots/flyout.test.tsx.snap
+++ b/src/plugins/saved_objects_management/public/management_section/objects_table/components/snapshots/flyout.test.tsx.snap
@ -182,6 +182,7 @@ exports[`Flyout conflicts should allow conflict resolution 2`] = `
          },
          "delete": [MockFunction],
          "externalUrl": Object {
+            "isInternalUrl": [MockFunction],
            "validateUrl": [MockFunction],
          },
          "fetch": [MockFunction],
--- a/src/plugins/telemetry_management_section/public/components/snapshots/telemetry_management_section.test.tsx.snap
+++ b/src/plugins/telemetry_management_section/public/components/snapshots/telemetry_management_section.test.tsx.snap
@ -280,6 +280,7 @@ exports[`TelemetryManagementSectionComponent renders null because allowChangingO
        },
        "delete": [MockFunction],
        "externalUrl": Object {
+          "isInternalUrl": [MockFunction],
          "validateUrl": [MockFunction],
        },
        "fetch": [MockFunction],
--- a/src/plugins/vis_types/vega/public/vega_view/vega_base_view.js
+++ b/src/plugins/vis_types/vega/public/vega_view/vega_base_view.js
@ -207,7 +207,7 @@ export class VegaBaseView {
    const vegaLoader = loader();
    const originalSanitize = vegaLoader.sanitize.bind(vegaLoader);
    vegaLoader.sanitize = async (uri, options) => {
-      if (uri.bypassToken === bypassToken) {
+      if (uri.bypassToken === bypassToken || this._externalUrl.isInternalUrl(uri)) {
        // If uri has a bypass token, the uri was encoded by bypassExternalUrlCheck() above.
        // because user can only supply pure JSON data structure.
        uri = uri.url;
--- a/x-pack/plugins/drilldowns/url_drilldown/public/lib/url_drilldown.test.ts
+++ b/x-pack/plugins/drilldowns/url_drilldown/public/lib/url_drilldown.test.ts
@ -68,6 +68,10 @@ const mockNavigateToUrl = jest.fn(() => Promise.resolve());
 class TextExternalUrl implements IExternalUrl {
  constructor(private readonly isCorrect: boolean = true) {}

+  public isInternalUrl(url: string): boolean {
+    return false;
+  }
+
  public validateUrl(url: string): URL | null {
    return this.isCorrect ? new URL(url) : null;
  }