NotificationsYou must be signed in to change notification settings
Fork906
Star10k

Commit9e44f18

authored

refactor: add safe list for external app protocols (#17742)

To prevent malicious apps and vendors to use the Coder session token weare adding safe protocols/schemas we want to support.- vscode:- vscode-insiders:- windsurf:- cursor:- jetbrains-gateway:- jetbrains:Fixcoder/security#77

1 parent5c53277 commit9e44f18Copy full SHA for 9e44f18

File tree

3 files changed

+36

-1

lines changed

site/src/modules
- apps
  - apps.test.ts
  - apps.ts
- resources/AppLink
  - AppLink.stories.tsx

3 files changed

+36

-1

lines changed

`‎site/src/modules/apps/apps.test.ts`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,22 @@ describe("getAppHref", () => {`
`53`	`53`	`expect(href).toBe(externalApp.url);`
`54`	`54`	`});`
`55`	`55`
	`56`	`+it("doesn't return the URL with the session token replaced when using unauthorized protocol",()=>{`
	`57`	`+constexternalApp={`
	`58`	`+...MockWorkspaceApp,`
	`59`	`+external:true,`
	`60`	+url:`ftp://example.com?token=${SESSION_TOKEN_PLACEHOLDER}`,
	`61`	`+};`
	`62`	`+consthref=getAppHref(externalApp,{`
	`63`	`+host:"*.apps-host.tld",`
	`64`	`+agent:MockWorkspaceAgent,`
	`65`	`+workspace:MockWorkspace,`
	`66`	`+path:"/path-base",`
	`67`	`+token:"user-session-token",`
	`68`	`+});`
	`69`	`+expect(href).toBe(externalApp.url);`
	`70`	`+});`
	`71`	`+`
`56`	`72`	`it("returns a path when app doesn't use a subdomain",()=>{`
`57`	`73`	`constapp={`
`58`	`74`	`...MockWorkspaceApp,`

`‎site/src/modules/apps/apps.ts`

Lines changed: 19 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,20 @@ import type {`
`10`	`10`	`// be used internally, and is highly subject to break.`
`11`	`11`	`exportconstSESSION_TOKEN_PLACEHOLDER="$SESSION_TOKEN";`
`12`	`12`
	`13`	`+// This is a list of external app protocols that we`
	`14`	`+// allow to be opened in a new window. This is`
	`15`	`+// used to prevent phishing attacks where a user`
	`16`	`+// is tricked into clicking a link that opens`
	`17`	`+// a malicious app using the Coder session token.`
	`18`	`+constALLOWED_EXTERNAL_APP_PROTOCOLS=[`
	`19`	`+"vscode:",`
	`20`	`+"vscode-insiders:",`
	`21`	`+"windsurf:",`
	`22`	`+"cursor:",`
	`23`	`+"jetbrains-gateway:",`
	`24`	`+"jetbrains:",`
	`25`	`+];`
	`26`	`+`
`13`	`27`	`typeGetVSCodeHrefParams={`
`14`	`28`	`owner:string;`
`15`	`29`	`workspace:string;`
`@@ -78,7 +92,11 @@ export const getAppHref = (`
`78`	`92`	`{ path, token, workspace, agent, host}:GetAppHrefParams,`
`79`	`93`	`):string=>{`
`80`	`94`	`if(isExternalApp(app)){`
`81`		`-returnneedsSessionToken(app)`
	`95`	`+constappProtocol=newURL(app.url).protocol;`
	`96`	`+constisAllowedProtocol=`
	`97`	`+ALLOWED_EXTERNAL_APP_PROTOCOLS.includes(appProtocol);`
	`98`	`+`
	`99`	`+returnneedsSessionToken(app)&&isAllowedProtocol`
`82`	`100`	`?app.url.replaceAll(SESSION_TOKEN_PLACEHOLDER,token??"")`
`83`	`101`	`:app.url;`
`84`	`102`	`}`

`‎site/src/modules/resources/AppLink/AppLink.stories.tsx`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ export const ExternalApp: Story = {`
`80`	`80`	`workspace:MockWorkspace,`
`81`	`81`	`app:{`
`82`	`82`	`...MockWorkspaceApp,`
	`83`	`+url:"vscode://open",`
`83`	`84`	`external:true,`
`84`	`85`	`},`
`85`	`86`	`agent:MockWorkspaceAgent,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9e44f18

File tree

3 files changed

3 files changed

`‎site/src/modules/apps/apps.test.ts`

`‎site/src/modules/apps/apps.ts`

`‎site/src/modules/resources/AppLink/AppLink.stories.tsx`

0 commit comments