ckaczor/azuredatastudio
1
0
Fork 0
mirror of https://github.com/ckaczor/azuredatastudio.git synced 2026-02-04 01:25:38 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add allow list of valid notebook command uris (#163322) (#21701)

Browse Source 
* Add allow list of valid notebook command uris (#163322)

This restricts notebooks to run three command uris. These 3 commands should all be safe to run, even with untrusted inputs

* Fix incorrectly resolved merge conflict

Co-authored-by: Matt Bierner <matb@microsoft.com>
This commit is contained in:
Karl Burtram
2023-01-23 12:01:53 -08:00
committed by GitHub
parent cabe158f07
commit ac4afbec6c
1 changed files with 27 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/vs/workbench/contrib/notebook/browser/view/renderers/backLayerWebView.ts
View File

@@ -539,24 +539,8 @@ var requirejs = (function() {
return;
}
if (matchesScheme(link, Schemas.command)) {
const ret = /command\:workbench\.action\.openLargeOutput\?(.*)/.exec(link);
if (ret && ret.length === 2) {
const outputId = ret[1];
this.openerService.open(CellUri.generateCellOutputUri(this.documentUri, outputId));
return;
}
console.warn('Command links are deprecated and will be removed, use message passing instead: https://github.com/microsoft/vscode/issues/123601');
}
if (matchesScheme(link, Schemas.command)) {
if (this.workspaceTrustManagementService.isWorkspaceTrusted()) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: true });
} else {
console.warn('Command links are disabled in untrusted workspaces');
}
} else if (matchesSomeScheme(link, Schemas.vscodeNotebookCell, Schemas.http, Schemas.https, Schemas.mailto)) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: true });
if (matchesSomeScheme(link, Schemas.vscodeNotebookCell, Schemas.http, Schemas.https, Schemas.mailto)) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: false });
}
}));
@@ -666,23 +650,35 @@ var requirejs = (function() {
}
case 'clicked-link': {
let linkToOpen: URI | string | undefined;
if (matchesScheme(data.href, Schemas.command)) {
const ret = /command\:workbench\.action\.openLargeOutput\?(.*)/.exec(data.href);
if (ret && ret.length === 2) {
const outputId = ret[1];
const group = this.editorGroupService.activeGroup;
if (group) {
if (group.activeEditor) {
group.pinEditor(group.activeEditor);
// We allow a very limited set of commands
const uri = URI.parse(data.href);
switch (uri.path) {
case 'workbench.action.openLargeOutput': {
const outputId = uri.query;
const group = this.editorGroupService.activeGroup;
if (group) {
if (group.activeEditor) {
group.pinEditor(group.activeEditor);
}
}
}
this.openerService.open(CellUri.generateCellOutputUri(this.documentUri, outputId));
return;
this.openerService.open(CellUri.generateCellOutputUri(this.documentUri, outputId));
return;
}
case 'github-issues.authNow':
case 'workbench.extensions.search':
case 'workbench.action.openSettings': {
this.openerService.open(data.href, { fromUserGesture: true, allowCommands: true });
return;
}
}
return;
}
if (matchesSomeScheme(data.href, Schemas.http, Schemas.https, Schemas.mailto, Schemas.command, Schemas.vscodeNotebookCell, Schemas.vscodeNotebook)) {
if (matchesSomeScheme(data.href, Schemas.http, Schemas.https, Schemas.mailto, Schemas.vscodeNotebookCell, Schemas.vscodeNotebook)) {
linkToOpen = data.href;
} else if (!/^[\w\-]+:/.test(data.href)) {
if (this.documentUri.scheme === Schemas.untitled) {
@@ -711,7 +707,7 @@ var requirejs = (function() {
}
if (linkToOpen) {
this.openerService.open(linkToOpen, { fromUserGesture: true, allowCommands: true });
this.openerService.open(linkToOpen, { fromUserGesture: true, allowCommands: false });
}
break;
}