Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBX-7044: Added dynamic route to settings submit form #72

Open
wants to merge 8 commits into
base: 4.6
Choose a base branch
from

Conversation

Gengar-i
Copy link
Contributor

@Gengar-i Gengar-i commented Feb 14, 2024

Question Answer
Tickets IBX-7044
Bug fix? yes
New feature? no
BC breaks? no
Tests pass? yes
Doc needed? no
License GPL-2.0

Suggestion of solution.
Added dynamic route to settings submit form
I know passing url breaks security and it suppose to be done differently.

Checklist:

  • Implement tests
  • Coding standards ($ composer fix-cs)

@Gengar-i Gengar-i requested a review from a team February 14, 2024 14:04
@@ -112,6 +112,19 @@ public function updateAction(Request $request, UpdateView $view)
]);
}

if ($request->query->has('route')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where this route param is populated?

Also, I guess return url being part of form make more sense.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest, at least, to change route name parameter as it really confusing. How abour return_route_name?
Not sure about it, but what about generating that whole URL in js, and just pass it here instead of route with params?
@dew326

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think both solutions are valid. If you think it will be cleaner that way I'm ok with that change.

@ViniTou ViniTou requested a review from a team February 19, 2024 07:21
@Gengar-i Gengar-i requested a review from ViniTou March 1, 2024 12:41
@Gengar-i Gengar-i force-pushed the ibx-7044-redirect-after-settings-update branch from 51617d9 to 6f36183 Compare March 13, 2024 11:15
@Gengar-i Gengar-i changed the base branch from main to 4.6 March 15, 2024 09:04
@Gengar-i Gengar-i force-pushed the ibx-7044-redirect-after-settings-update branch from a072b77 to 6f36183 Compare March 18, 2024 09:35
@Gengar-i Gengar-i requested a review from dew326 March 18, 2024 09:35
@Gengar-i
Copy link
Contributor Author

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

@Gengar-i Gengar-i requested a review from alongosz March 18, 2024 09:44
@alongosz
Copy link
Member

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

The point there was rather to sanitize input and/or attach path & query part to the current request. Now we might have different bug. What would happen if you pass existing route name different than expected, which has different parameters?

@Gengar-i Gengar-i requested a review from a team April 4, 2024 10:15
@Steveb-p
Copy link
Contributor

Steveb-p commented Apr 9, 2024

@alongosz Pointed possible danger while sending whole url to backend. So I stay with solution while passing route with parameters, which is safer solution.

The point there was rather to sanitize input and/or attach path & query part to the current request. Now we might have different bug. What would happen if you pass existing route name different than expected, which has different parameters?

I agree with Alongosz here, @Gengar-i. Route has to be checked before redirection - that it exists and can be created with those route parameters. You could fall back to a default redirect if they do not.

Copy link

sonarqubecloud bot commented Apr 9, 2024

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@micszo
Copy link
Contributor

micszo commented Jul 9, 2024

@webhdx @dew326 do we consider review here sufficient? first PR (aui) was already sent to the next stage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants