You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The title is pretty much the issue. flipper happily accepts feature names like ../../something (which is good) the generated anchor tag ends up with ../../something which is then normalized by the browser and makes the feature show/edit action unreachable.
It looks like the features ui page is using Feature#key in generating the href:
Not using the database primary key (in the case of the ActiveRecord backend) makes sense, since the various backends would need to account for that in various ways
Some thoughts
I think utilizing Rack::Utils.escape to generate the link (and correspondingly unescaping to look up the feature) would work in the case of ../../something but a similar case exists for the flipper keys. and .. (and maybe a solution in the case of . and .. is to not allow those feature names, or go out of the way to percent encode periods)
another option would be to url-safe base64 encode the key, that should account for all valid flipper keys at the expense of not having the visible feature name in the url (which might be okay)
The text was updated successfully, but these errors were encountered:
The title is pretty much the issue. flipper happily accepts feature names like
../../something
(which is good) the generated anchor tag ends up with../../something
which is then normalized by the browser and makes the feature show/edit action unreachable.It looks like the features ui page is using
Feature#key
in generating the href:flipper/lib/flipper/ui/views/features.erb
Line 39 in f3be014
Not using the database primary key (in the case of the ActiveRecord backend) makes sense, since the various backends would need to account for that in various ways
Some thoughts
../../something
but a similar case exists for the flipper keys.
and..
(and maybe a solution in the case of.
and..
is to not allow those feature names, or go out of the way to percent encode periods)The text was updated successfully, but these errors were encountered: