Fixes #27145: Creating global parameter with change-validation enabled leads to 404 #6490
Conversation
|
Commit modified |
cdf500a to
9512453
Compare
clarktsiory
left a comment
There was a problem hiding this comment.
LGTM on the IOResult refactoring, only the link util require some change
| def redirectToChangeRequestLink(id: ChangeRequestId, contextPath: String = S.contextPath): JsCmd = { | ||
| if (S.contextPath == "") { | ||
| RedirectTo(s"${contextPath}${baseChangeRequestLink(id)}") | ||
| } else { | ||
| RedirectTo(baseChangeRequestLink(id)) | ||
| } | ||
|
|
||
| } |
There was a problem hiding this comment.
I don't see why there is a check on the default value S.contextPath : when we pass an explicit contextPath then it means that we want to always use it, and not only when there is a issue leading to an empty one...
So it could be simplified to RedirectTo(changeRequestLink(id, contextPath))
And I'm not even sure that S.contextPath == "" is disallowed, in a server with only a single webapp
There was a problem hiding this comment.
alas, RedirectTo automatically adds the context path as a prefix when S.contextPath is set , i.e. calling RedirectTo(changeRequestLink(id)) when S.contextPath is set would return something that starts with rudder/rudder/...
I agree that this solution is not the most elegant ; could there be another way to do this ?
There was a problem hiding this comment.
So, to keep the API of the link utils look predictable, I suggest to redefine another RedirectTo that skips the check on the context path, since the issue is that the current one adds the context path wrt some logic, and because we don't want that logic when we pass an explicit contextPath.
It would then end up into :
if (S.contextPath != contextPath) {
RedirectToStrict(s"${contextPath}${baseChangeRequestLink(id)}")
} else {
RedirectTo(baseChangeRequestLink(id))
}if I'm not mistaken
9512453 to
bb87d31
Compare
|
Commit modified |
| case class RedirectToFullPath(where: String) extends JsCmd { | ||
| override def toJsCmd: String = s"window.location = \"${where}\" ;" | ||
| } |
There was a problem hiding this comment.
if used in with other IDs which are mostly strings, this has some XSS vulnerability because the location is not escaped.
So it should keep the same security guards as in the Lift code with encJs
|
Commit modified |
bb87d31 to
132e291
Compare
clarktsiory
left a comment
There was a problem hiding this comment.
LGTM, this is likely to happen in other places due to progress in migrating away from Lift
|
This PR is not mergeable to upper versions. |
|
OK, merging this PR |
https://issues.rudder.io/issues/27145
This bug seems to occur because of the Lift and ZIO environments interfere with each other - in particular, the calls to
zio.runNowseem to reset the value Lift environment variables.This kind of bug is sometimes resolved by removing calls to
runNowthat precede references to Lift parameters, but it did not work this time - these changes are still kept because they still eliminate potential errors of the same kind.In the end, the fix in this case seems to require explicitly passing a context path argument in case the
S.contextPathhas been reset.