feat(sessions): add modal for choosing session environment (#405) #405
Conversation
mdonadoni
force-pushed
the
jupyter-allowlist
branch
from
79366da to
86fac46
Compare
| label="Custom environment" | ||
| value={customImage} | ||
| onChange={(_, { value }) => setCustomImage(value)} | ||
| placeholder={"Custom container image"} |
There was a problem hiding this comment.
When custom environment images are enabled, the user may try to type fancy values such as:
alert("XSS")
This leads to a success message:
Success!
The interactive session has been created. However, it could take several minutes to start the Jupyter Notebook. Click on the Jupyter logo to access it.
And on the backend, the session pod is created but obviously not started due to the InvalidImageName error.
Could we plug some value sanitisation checks so that we would prevent even trying to open invalid image strings?
(Ideally on the backend side, so that we would also cover reana-client open, but we could also eliminate some characters already in the front-end perhaps, such as in the various XSS test strings, as tried above.)
There was a problem hiding this comment.
I think we should do this as part of another issue/PR, as these checks could be also done for example for the docker images specified in reana.yaml. What do you think?
mdonadoni
force-pushed
the
jupyter-allowlist
branch
from
86fac46 to
6108869
Compare
mdonadoni
force-pushed
the
jupyter-allowlist
branch
from
6108869 to
d79551b
Compare
mdonadoni
force-pushed
the
jupyter-allowlist
branch
from
d79551b to
7a83b20
Compare
Closes reanahub/reana-workflow-controller#569