Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

strip query params when added to route in client linkmanager navigate #2387

Closed
hardl opened this issue Nov 18, 2021 · 0 comments · Fixed by #2393
Closed

strip query params when added to route in client linkmanager navigate #2387

hardl opened this issue Nov 18, 2021 · 0 comments · Fixed by #2393
Assignees
@JohannesDoberer
Labels
security/high Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0
Milestone
Sprint 22

Comments

@hardl
Copy link
Contributor

hardl commented Nov 18, 2021
edited by JohannesDoberer
Loading

a micro frontend should not be able to control search query parameters unless it has permissions to do so (https://docs.luigi-project.io/docs/navigation-parameters-reference/?section=clientpermissionsurlparameters).

But currently it seems to be possibel to call:
linkManager().navigate('/some/path?someParam=someValue') and the param is added to the main apps url.
This must be prevented!

-> Encode values of withParams()
linkManager().withParams({bar: "test&t=foo"}).navigate("/search/components")will navigate to /search/components?~bar=test&t=foo.
-> Encode values of addCoreSearchParams()

Expected: In both cases Luigi core encodes the parameters correctly
@hardl hardl added the security/high Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0 label Nov 18, 2021
@hardl hardl added this to the Sprint 22 milestone Nov 18, 2021
@JohannesDoberer JohannesDoberer self-assigned this Nov 18, 2021
@JohannesDoberer JohannesDoberer mentioned this issue Nov 23, 2021
Merged
@JohannesDoberer JohannesDoberer added WIP Work in progress and removed WIP Work in progress labels Nov 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JohannesDoberer JohannesDoberer

Labels
security/high Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0
Projects
None yet
Milestone
Sprint 22
Development

Successfully merging a pull request may close this issue.

Strip query params in linkmanager navigate JohannesDoberer/luigi
2 participants
@hardl @JohannesDoberer