Soft validation on environment external URL
What does this MR do and why?
Currently, many deployment jobs are failing to update an environment due to invalid environment:url parameter. We discussed in the issue and agreed upon that relaxing the backend validation at persistence is the best way forward to resolve these errors. This MR removes the AddressableUrlValidator from the environment URL validation. This change is behind a feature flag soft_validation_on_external_url, which is disabled by default.
Since an arbitrary text can be persisted into the environments.external_url column and this column is displayed on UI as a clickable link, we have to make sure that this doesn't expose XSS vulnerability.
A few notes:
- For more information, please see the issue description
- GitLab's XSS guidelines.
- Where the Environment URLs are displayed.
- Links in Blob and Diff views.
Screenshots or screen recordings
See Appendix: The places to consume the external URL of environments about the tested pages.
Environment Dashboard ✅
Web terminals 🔴
MR Widgets ✅
Environment index page ✅
Environment detail page ✅
Environment create/edit page ✅
Diff/Blob/Commit page 🔴
How to set up and validate locally
- Enable the feature flag:
Feature.enable(:soft_validation_on_external_url). - Create a project and
.gitlab-ci.ymlwith the following content.
build:
script: echo
environment:
name: prod
url: javascript:alert("hello")- Execute the deployment job with GitLab Runner.
- Visit "Deployments > Environments"
- Click "Open" button or Visit the "prod" environment and click "View deployment" button.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Appendix: The places to consume the external URL of environments
| Page | Source | Process | Comment |
|---|---|---|---|
| Environment Dashboard | ee/app/serializers/dashboard_environment_entity.rb ee/app/assets/javascripts/environments_dashboard/components/dashboard/environment_header.vue |
Render external URL as a link | |
| Web terminals | app/views/projects/environments/terminal.html.haml | Render external URL as a link | |
| MR Widgets | app/serializers/environment_status_entity.rb app/assets/javascripts/vue_merge_request_widget/components/deployment/deployment_view_button.vue |
Render external URL as a link | |
| Environment index page | app/serializers/environment_entity.rb app/assets/javascripts/environments/components/environment_item.vue app/assets/javascripts/environments/components/environment_external_url.vue app/assets/javascripts/environments/components/new_environment_item.vue |
Render external URL as a link | |
| Environment detail page | app/helpers/environment_helper.rb app/assets/javascripts/environments/components/environment_external_url.vue app/assets/javascripts/environments/mount_show.js |
Render external URL as a link | |
| Environment create/edit page | app/helpers/environments_helper.rb app/assets/javascripts/environments/components/new_environment.vue app/assets/javascripts/environments/components/environment_form.vue app/assets/javascripts/environments/components/edit_environment.vue |
Render external URL as a link | |
| Diff/Blob/Commit page | app/serializers/diff_file_base_entity.rb app/assets/javascripts/diffs/components/diff_file_header.vue app/helpers/commits_helper.rb |
Render external URL as a link | In Blob page, you must disable refactor_blob_viewer feature flag. |
| Public API (CLI) | lib/api/entities/environment_basic.rb lib/api/environments.rb |
Get/Set external urls of environments. | |
| Pipeline jobs (Predefined variable) | app/models/ci/build.rb | Expose CI_ENVIRONMENT_URL into pipeline jobs |