Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web UI #634

Open
wants to merge 86 commits into
base: main
Choose a base branch
from
Open

Web UI #634

wants to merge 86 commits into from

Conversation

hasan7n
Copy link
Contributor

@hasan7n hasan7n commented Dec 21, 2024
edited
Loading

Comments/discussions to check:

To be merged before merging to main: #618, which depends on #615

VukW added 30 commits July 11, 2024 10:34
@VukW
added fastapi as web ui backend
040d446
@VukW
Added cube + benchmark basic listing
97e6bd7
@VukW
Adds navigation
0382684
@VukW
Aded mlcube detailed page
55fe60e
@VukW
Improved mlcubes detailed layout
fb1bca3
@VukW
Improved mlcube layout
64cf53e
@VukW
yaml displaying
36611e1
@VukW
yaml: spinner
56fa5c4
@VukW
yaml panel improvement
8563887
@VukW
yaml panel layout improvement
07ce4ab
@VukW
layout fixes
b260401
@VukW
Added benchmark detailed page
b7980a8
@VukW
added links to mlcube
ca356cc
@VukW
benchmark page: added owner
6efd724
@VukW
Colors refactoring
319b1bf
@VukW
Dataset detailed page
58008f3
@VukW
Forgot to add js file
375d89e
@VukW
Unified data format for all data fields automatically
c6d8a56
@VukW
(mlcube-detailed) Display image tarball and additional files always
74f7743
@VukW
Fixed scrolling and reinvented basic page layout
b312882
@VukW
Fix navbar is hiding
0e282cb
@VukW
Make templates & static files independent of user's workdir
6b28ebb
@VukW
Added error handling
881b281
@VukW
Display invalid entities correctly
e28107b
@VukW
Added invalid entities highlighting + badges
5b718eb
@VukW
Added benchmark associations
0f95027
@VukW
Improved association panel style
444786e
@VukW
Added association card
e273577
@VukW
Sorted associations by status / timestamp
eea1e77
@VukW
Sorted mlcubes and datasets: mine first
7b68911
aristizabal95 and others added 26 commits October 8, 2024 16:31
@aristizabal95
Pass mlcube params instead of url
1384b21
@aristizabal95
Pass mlcube parameters to fetch-yaml
64d8b3c
@VukW
Merge pull request #9 from aristizabal95/web-ui-fetch-yaml
7d6f01a 
Web UI fetch yaml
@VukW
Merge remote-tracking branch 'personal/web-ui' into web-ui-dataset
015354e 
# Conflicts:
#	cli/medperf/web_ui/yaml_fetch/routes.py
@VukW
Added dataset report + refactored yaml panel styles
96362de
@VukW
linter fix
b3c81c1
@VukW
Backend for running bmk over dataset in background
43d2b77
@VukW
Added FE for model run
75f9c5c
@VukW
bugfix: mark last stage as completed also
f2ddd62
@VukW
Redesigned dataset run page
df0e2c2
@VukW
bugfix
e082cec
@VukW
Restyled model list
4926f07
@VukW
Updated models list layout
4b45f49
@VukW
Restyled models list
35ded73
@VukW
Restyled the run buttons
2ab585d
@VukW
Added "Running" state
a7fdd52
@VukW
"Run all" button
d9d2932
@VukW
removed unused code
397aed4
@VukW
minor bugfixes
7780bc0
@VukW
Result submission
7d20e31
@VukW
bugfix: status was passed wrongly if result is submitted (as draft is…
2a1d55d 
… not updated)
@VukW
Auth by security token
48e388e
@VukW
Restyled dataset pipeline buttons
23908f5
@mhmdk0
Merge remote-tracking branch 'origin/main' into webui-dataset
020da3e
@hasan7n
Merge remote-tracking branch 'upstream/main' into web-ui
e59d877
@hasan7n
Merge remote-tracking branch 'upstream/web-ui' into webui-dataset
88c5eb0
@hasan7n hasan7n requested a review from a team as a code owner December 21, 2024 21:09
@hasan7n hasan7n requested a deployment to testing-external-code December 21, 2024 21:09 — with GitHub Actions Waiting
@github-actions GitHub Actions
Copy link
Contributor

MLCommons CLA bot:
Thank you very much for your submission, we really appreciate it. Before we can accept your contribution, we ask that you sign the MLCommons CLA (Apache 2). Please use this [Google form] (https://forms.gle/Ew1KkBVpyeJDuRw67) to initiate authorization. If you are from an MLCommons member organization, we will request that you be added to the CLA. If you are not from a member organization, we will email you a CLA to sign. For any questions, please contact [email protected].
3 out of 4 committers have signed the MLCommons CLA.
@aristizabal95
@mhmdk0
@hasan7n
@VukW
You can retrigger this bot by commenting recheck in this Pull Request

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 21, 2024
View reviewed changes
cli/medperf/web_ui/api/routes.py
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to ensure that the full_path is normalized before performing any checks. This will remove any ".." segments and ensure that the path is correctly contained within the BASE_DIR. We will use os.path.normpath to normalize the path and then check if the normalized path starts with the BASE_DIR.

Suggested changeset 1
cli/medperf/web_ui/api/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/api/routes.py b/cli/medperf/web_ui/api/routes.py
--- a/cli/medperf/web_ui/api/routes.py
+++ b/cli/medperf/web_ui/api/routes.py
@@ -18,11 +18,10 @@
 ):
-    full_path = os.path.join(BASE_DIR, path)
-    os.path.join(BASE_DIR, path)
-
-    if not os.path.exists(full_path) or not os.path.isdir(full_path):
-        raise HTTPException(status_code=404, detail="Directory not found")
-
-    # Ensure path is within the base directory
-    if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
-        raise HTTPException(status_code=403, detail="Access denied")
+    full_path = os.path.normpath(os.path.join(BASE_DIR, path))
+
+    # Ensure path is within the base directory
+    if not full_path.startswith(BASE_DIR):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    if not os.path.exists(full_path) or not os.path.isdir(full_path):
+        raise HTTPException(status_code=404, detail="Directory not found")
 
EOF
@@ -18,11 +18,10 @@
):
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

# Ensure path is within the base directory
if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")
full_path = os.path.normpath(os.path.join(BASE_DIR, path))

# Ensure path is within the base directory
if not full_path.startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/api/routes.py
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to ensure that the full_path is normalized before checking if it is within the BASE_DIR. This can be done using os.path.normpath to remove any ".." segments that could allow directory traversal. After normalizing the path, we should check if it starts with the BASE_DIR.

  1. Normalize the full_path using os.path.normpath.
  2. Check if the normalized full_path starts with BASE_DIR to ensure it is within the base directory.
  3. Update the existing checks to use the normalized path.
Suggested changeset 1
cli/medperf/web_ui/api/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/api/routes.py b/cli/medperf/web_ui/api/routes.py
--- a/cli/medperf/web_ui/api/routes.py
+++ b/cli/medperf/web_ui/api/routes.py
@@ -18,11 +18,9 @@
 ):
-    full_path = os.path.join(BASE_DIR, path)
-    os.path.join(BASE_DIR, path)
-
-    if not os.path.exists(full_path) or not os.path.isdir(full_path):
-        raise HTTPException(status_code=404, detail="Directory not found")
-
-    # Ensure path is within the base directory
-    if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
-        raise HTTPException(status_code=403, detail="Access denied")
+    full_path = os.path.normpath(os.path.join(BASE_DIR, path))
+
+    if not full_path.startswith(BASE_DIR):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    if not os.path.exists(full_path) or not os.path.isdir(full_path):
+        raise HTTPException(status_code=404, detail="Directory not found")
 
EOF
@@ -18,11 +18,9 @@
):
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

# Ensure path is within the base directory
if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")
full_path = os.path.normpath(os.path.join(BASE_DIR, path))

if not full_path.startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/api/routes.py

# List directories inside the path
folders = []
for item in os.listdir(full_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to ensure that the full_path is properly validated and sanitized before it is used in any file system operations. The best way to do this is to normalize the path using os.path.normpath and then check that the normalized path starts with the BASE_DIR. This will prevent any path traversal attacks and ensure that the path is within the intended directory.

Suggested changeset 1
cli/medperf/web_ui/api/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/api/routes.py b/cli/medperf/web_ui/api/routes.py
--- a/cli/medperf/web_ui/api/routes.py
+++ b/cli/medperf/web_ui/api/routes.py
@@ -18,11 +18,10 @@
 ):
-    full_path = os.path.join(BASE_DIR, path)
-    os.path.join(BASE_DIR, path)
-
-    if not os.path.exists(full_path) or not os.path.isdir(full_path):
-        raise HTTPException(status_code=404, detail="Directory not found")
-
-    # Ensure path is within the base directory
-    if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
-        raise HTTPException(status_code=403, detail="Access denied")
+    full_path = os.path.normpath(os.path.join(BASE_DIR, path))
+
+    # Ensure path is within the base directory
+    if not full_path.startswith(BASE_DIR):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    if not os.path.exists(full_path) or not os.path.isdir(full_path):
+        raise HTTPException(status_code=404, detail="Directory not found")
 
EOF
@@ -18,11 +18,10 @@
):
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

# Ensure path is within the base directory
if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")
full_path = os.path.normpath(os.path.join(BASE_DIR, path))

# Ensure path is within the base directory
if not full_path.startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/api/routes.py
folders = []
for item in os.listdir(full_path):
item_path = os.path.join(full_path, item)
if os.path.isdir(item_path):

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to ensure that the full_path is normalized before checking if it is within the BASE_DIR. This can be done using os.path.normpath to remove any ".." segments and ensure the path is safe. Additionally, we should ensure that the item_path is also validated properly.

  1. Normalize the full_path using os.path.normpath.
  2. Check if the normalized full_path starts with BASE_DIR.
  3. Ensure that item_path is also validated properly.
Suggested changeset 1
cli/medperf/web_ui/api/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/api/routes.py b/cli/medperf/web_ui/api/routes.py
--- a/cli/medperf/web_ui/api/routes.py
+++ b/cli/medperf/web_ui/api/routes.py
@@ -18,18 +18,17 @@
 ):
-    full_path = os.path.join(BASE_DIR, path)
-    os.path.join(BASE_DIR, path)
-
-    if not os.path.exists(full_path) or not os.path.isdir(full_path):
-        raise HTTPException(status_code=404, detail="Directory not found")
-
-    # Ensure path is within the base directory
-    if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
-        raise HTTPException(status_code=403, detail="Access denied")
-
-    # List directories inside the path
-    folders = []
-    for item in os.listdir(full_path):
-        item_path = os.path.join(full_path, item)
-        if os.path.isdir(item_path):
-            folders.append({"name": item, "path": os.path.relpath(item_path, BASE_DIR)})
+    full_path = os.path.normpath(os.path.join(BASE_DIR, path))
+
+    if not os.path.exists(full_path) or not os.path.isdir(full_path):
+        raise HTTPException(status_code=404, detail="Directory not found")
+
+    # Ensure path is within the base directory
+    if not full_path.startswith(BASE_DIR):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    # List directories inside the path
+    folders = []
+    for item in os.listdir(full_path):
+        item_path = os.path.normpath(os.path.join(full_path, item))
+        if item_path.startswith(full_path) and os.path.isdir(item_path):
+            folders.append({"name": item, "path": os.path.relpath(item_path, BASE_DIR)})
 
EOF
@@ -18,18 +18,17 @@
):
full_path = os.path.join(BASE_DIR, path)
os.path.join(BASE_DIR, path)

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

# Ensure path is within the base directory
if not os.path.commonpath([BASE_DIR, full_path]).startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")

# List directories inside the path
folders = []
for item in os.listdir(full_path):
item_path = os.path.join(full_path, item)
if os.path.isdir(item_path):
folders.append({"name": item, "path": os.path.relpath(item_path, BASE_DIR)})
full_path = os.path.normpath(os.path.join(BASE_DIR, path))

if not os.path.exists(full_path) or not os.path.isdir(full_path):
raise HTTPException(status_code=404, detail="Directory not found")

# Ensure path is within the base directory
if not full_path.startswith(BASE_DIR):
raise HTTPException(status_code=403, detail="Access denied")

# List directories inside the path
folders = []
for item in os.listdir(full_path):
item_path = os.path.normpath(os.path.join(full_path, item))
if item_path.startswith(full_path) and os.path.isdir(item_path):
folders.append({"name": item, "path": os.path.relpath(item_path, BASE_DIR)})

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/login.py
# Check if user is already authenticated
if token == security_token:
# User is already authenticated, redirect to original URL
return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to validate the redirect_url parameter to ensure it does not contain an explicit host name, which could lead to open redirect vulnerabilities. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty. Additionally, we should replace backslashes with forward slashes to handle cases where browsers accept backslashes as equivalent to forward slashes.

We will make changes to the login_form and login functions to include this validation.

Suggested changeset 1
cli/medperf/web_ui/login.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/login.py b/cli/medperf/web_ui/login.py
--- a/cli/medperf/web_ui/login.py
+++ b/cli/medperf/web_ui/login.py
@@ -1,3 +1,4 @@
-from fastapi import Request, Form, APIRouter, status, Security
-from fastapi.responses import HTMLResponse, RedirectResponse
+from fastapi import Request, Form, APIRouter, status, Security
+from fastapi.responses import HTMLResponse, RedirectResponse
+from urllib.parse import urlparse
 
@@ -13,9 +14,12 @@
     request: Request,
-    redirect_url: str = "/",
-    token: str = Security(api_key_cookie)
-):
-    # Check if user is already authenticated
-    if token == security_token:
-        # User is already authenticated, redirect to original URL
-        return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+    redirect_url: str = "/",
+    token: str = Security(api_key_cookie)
+):
+    # Validate redirect_url
+    redirect_url = redirect_url.replace('\\', '/')
+    if not urlparse(redirect_url).netloc and not urlparse(redirect_url).scheme:
+        # Check if user is already authenticated
+        if token == security_token:
+            # User is already authenticated, redirect to original URL
+            return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
     else:
@@ -32,8 +36,11 @@
         token: str = Form(...),
-        redirect_url: str = Form("/"),
-):
-    if token == security_token:
-        response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
-        response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
-        return response
+        redirect_url: str = Form("/"),
+):
+    # Validate redirect_url
+    redirect_url = redirect_url.replace('\\', '/')
+    if not urlparse(redirect_url).netloc and not urlparse(redirect_url).scheme:
+        if token == security_token:
+            response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+            response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
+            return response
     else:
EOF
@@ -1,3 +1,4 @@
from fastapi import Request, Form, APIRouter, status, Security
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi import Request, Form, APIRouter, status, Security
from fastapi.responses import HTMLResponse, RedirectResponse
from urllib.parse import urlparse

@@ -13,9 +14,12 @@
request: Request,
redirect_url: str = "/",
token: str = Security(api_key_cookie)
):
# Check if user is already authenticated
if token == security_token:
# User is already authenticated, redirect to original URL
return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
redirect_url: str = "/",
token: str = Security(api_key_cookie)
):
# Validate redirect_url
redirect_url = redirect_url.replace('\\', '/')
if not urlparse(redirect_url).netloc and not urlparse(redirect_url).scheme:
# Check if user is already authenticated
if token == security_token:
# User is already authenticated, redirect to original URL
return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
else:
@@ -32,8 +36,11 @@
token: str = Form(...),
redirect_url: str = Form("/"),
):
if token == security_token:
response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
return response
redirect_url: str = Form("/"),
):
# Validate redirect_url
redirect_url = redirect_url.replace('\\', '/')
if not urlparse(redirect_url).netloc and not urlparse(redirect_url).scheme:
if token == security_token:
response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
return response
else:
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/login.py
redirect_url: str = Form("/"),
):
if token == security_token:
response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 22 days ago

To fix the problem, we need to validate the redirect_url parameter to ensure it does not contain an explicit host name, which could lead to an open redirect vulnerability. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty. Additionally, we should replace backslashes with forward slashes to handle browser quirks.

  1. Import the urlparse function from the urllib.parse module.
  2. Replace backslashes in the redirect_url with forward slashes.
  3. Check that the netloc attribute of the parsed URL is empty.
  4. If the redirect_url is not valid, redirect to a default safe URL (e.g., "/").
Suggested changeset 1
cli/medperf/web_ui/login.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/cli/medperf/web_ui/login.py b/cli/medperf/web_ui/login.py
--- a/cli/medperf/web_ui/login.py
+++ b/cli/medperf/web_ui/login.py
@@ -1,49 +1,51 @@
-from fastapi import Request, Form, APIRouter, status, Security
-from fastapi.responses import HTMLResponse, RedirectResponse
-
-from medperf.web_ui.auth import security_token, AUTH_COOKIE_NAME
-from medperf.web_ui.common import templates, api_key_cookie
-
-router = APIRouter()
-
-
-# Login page GET endpoint
[email protected]("/login", response_class=HTMLResponse)
-async def login_form(
-    request: Request,
-    redirect_url: str = "/",
-    token: str = Security(api_key_cookie)
-):
-    # Check if user is already authenticated
-    if token == security_token:
-        # User is already authenticated, redirect to original URL
-        return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
-    else:
-        # User is not authenticated, show login form
-        return templates.TemplateResponse(
-            "login.html", {"request": request, "redirect_url": redirect_url}
-        )
-
-
-# Login page POST endpoint
[email protected]("/login")
-async def login(
-        request: Request,
-        token: str = Form(...),
-        redirect_url: str = Form("/"),
-):
-    if token == security_token:
-        response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
-        response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
-        return response
-    else:
-        return templates.TemplateResponse(
-            "login.html",
-            {
-                "request": request,
-                "redirect_url": redirect_url,
-                "error": "Invalid token",
-            },
-        )
-
-
+from fastapi import Request, Form, APIRouter, status, Security
+from fastapi.responses import HTMLResponse, RedirectResponse
+from urllib.parse import urlparse
+from medperf.web_ui.auth import security_token, AUTH_COOKIE_NAME
+from medperf.web_ui.common import templates, api_key_cookie
+
+router = APIRouter()
+
+
+# Login page GET endpoint
[email protected]("/login", response_class=HTMLResponse)
+async def login_form(
+    request: Request,
+    redirect_url: str = "/",
+    token: str = Security(api_key_cookie)
+):
+    # Check if user is already authenticated
+    if token == security_token:
+        # User is already authenticated, redirect to original URL
+        return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+    else:
+        # User is not authenticated, show login form
+        return templates.TemplateResponse(
+            "login.html", {"request": request, "redirect_url": redirect_url}
+        )
+
+
+# Login page POST endpoint
[email protected]("/login")
+async def login(
+        request: Request,
+        token: str = Form(...),
+        redirect_url: str = Form("/"),
+):
+    redirect_url = redirect_url.replace('\\', '/')
+    if not urlparse(redirect_url).netloc:
+        if token == security_token:
+            response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+            response.set_cookie(key=AUTH_COOKIE_NAME, value=token)
+            return response
+        else:
+            return templates.TemplateResponse(
+                "login.html",
+                {
+                    "request": request,
+                    "redirect_url": redirect_url,
+                    "error": "Invalid token",
+                },
+            )
+    else:
+        return RedirectResponse(url="/", status_code=status.HTTP_302_FOUND)
EOF
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
cli/medperf/web_ui/login.py
):
if token == security_token:
response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
response.set_cookie(key=AUTH_COOKIE_NAME, value=token)

Check warning

Code scanning / CodeQL

Failure to use secure cookies Medium

Cookie is added without the Secure and HttpOnly attributes properly set.
cli/medperf/web_ui/login.py
):
if token == security_token:
response = RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
response.set_cookie(key=AUTH_COOKIE_NAME, value=token)

Check warning

Code scanning / CodeQL

Construction of a cookie using user-supplied input Medium

Cookie is constructed from a
user-supplied input
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hasan7n @VukW @aristizabal95 @mhmdk0