Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Token with sprite and glyphs #192

Merged
merged 12 commits into from
Oct 12, 2023
Merged

Fix: Token with sprite and glyphs #192

merged 12 commits into from
Oct 12, 2023

Conversation

gavinr-maps
Copy link
Contributor

@gavinr-maps gavinr-maps commented Aug 7, 2023
edited
Loading

This PR puts in a fix to properly add the token for sprites and glyphs, as pointed out in #188 and #186.

  1. As part of this PR, I wanted to unit test the formatStyle function in Util.js. To do this, I had to export that function. So that's what I did first: ba913e7
  2. Then I added a unit test to demo the sprites issue: 405d991
  3. Fix for that ^ sprites issue: b0d7815
  4. Then I added a unit test to demo the glyphs issue: 2d5baf7
  5. Fix for that ^ glyphs issue: 5fa87e2

@mstiglingh can you please test this out if it fixes your use case.

@gavinr-maps gavinr-maps mentioned this pull request Aug 7, 2023
Closed
@gavinr-maps gavinr-maps marked this pull request as ready for review August 7, 2023 17:56
@gavinr-maps gavinr-maps changed the title Fix: Token with sprite issue (in progress) Fix: Token with sprite and glyphs Aug 7, 2023
@mstiglingh
Copy link

Tested and working thanx Gavin!

@mstiglingh
Copy link

Just checking in on the progress of this?

patrickarlt
patrickarlt requested changes Aug 22, 2023
View reviewed changes
Copy link
Contributor

@patrickarlt patrickarlt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gavinr-maps generally I think this looks good. I'm a little cautious of the case where someone could craft a malicious style with a glyph or token URL pointed to their server which we would then append the token to thereby giving the token to an attacker.

I think the only way around this would be to confirm that the url of the style and the URL and the URL of the sprite/glyph are on the same domain if they are I think we can consider the token safe to use. Otherwise the user will need to append the token manually with the style option.

spec/UtilSpec.js Outdated Show resolved Hide resolved
spec/UtilSpec.js Outdated Show resolved Hide resolved
spec/UtilSpec.js Outdated Show resolved Hide resolved
spec/UtilSpec.js Outdated Show resolved Hide resolved
@gavinr-maps
Copy link
Contributor Author

@patrickarlt I have updated it to check the domain per your comment. Please review.

patrickarlt
patrickarlt approved these changes Oct 6, 2023
View reviewed changes
Copy link
Contributor

@patrickarlt patrickarlt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a few changes.

spec/UtilSpec.js Outdated Show resolved Hide resolved
spec/UtilSpec.js Outdated Show resolved Hide resolved
src/Util.js
@@ -142,6 +142,10 @@ function loadStyleFromUrl (styleUrl, options, callback) {
request(styleUrl, params, callback);
}

function isSameTLD (url1, url2) {
return (new URL(url1)).hostname === (new URL(url2)).hostname;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do have some mild concerns about this because new URL will throw errors on relative paths. In general I think this is ok because we check if they are relative in formatStyle. Ideally I would love to use new URL() to resolve the paths

Copy link
Contributor Author

@gavinr-maps gavinr-maps Oct 10, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do have some mild concerns about this because new URL will throw errors on relative paths. In general I think this is ok because we check if they are relative in formatStyle.

I agree - I think it's not ideal but ok in this case since we're checking for relative in the parent function.

Ideally I would love to use new URL() to resolve the paths

I'm not following here - are you suggesting a code change for this PR or just a general future idea?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General future idea.

@patrickarlt
Copy link
Contributor

@gavinr-maps this LGTM! Feel free to merge and release it.

@gavinr-maps gavinr-maps merged commit 30f8267 into Esri:master Oct 12, 2023
9 checks passed
@gavinr-maps gavinr-maps deleted the 188-token-issues branch October 12, 2023 19:54
@gavinr-maps
Copy link
Contributor Author

This was released in v4.2.0.

@gavinr-maps gavinr-maps mentioned this pull request May 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrickarlt patrickarlt patrickarlt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gavinr-maps @mstiglingh @patrickarlt