Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sillily named feature flags break flipper-ui (e.g. ../../something) with flipper-active_record (and perhaps other backend adapters) #901

Open
tylerritchie opened this issue Dec 17, 2024 · 0 comments

Comments

@tylerritchie
Copy link

The title is pretty much the issue. flipper happily accepts feature names like ../../something (which is good) the generated anchor tag ends up with ../../something which is then normalized by the browser and makes the feature show/edit action unreachable.

It looks like the features ui page is using Feature#key in generating the href:

<a href="<%= "#{script_name}/features/#{feature.key}" %>" class="list-group-item list-group-item-action">

Not using the database primary key (in the case of the ActiveRecord backend) makes sense, since the various backends would need to account for that in various ways

Some thoughts

  • I think utilizing Rack::Utils.escape to generate the link (and correspondingly unescaping to look up the feature) would work in the case of ../../something but a similar case exists for the flipper keys. and .. (and maybe a solution in the case of . and .. is to not allow those feature names, or go out of the way to percent encode periods)
  • another option would be to url-safe base64 encode the key, that should account for all valid flipper keys at the expense of not having the visible feature name in the url (which might be okay)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant