Skip to content

fix(frontend): Patch Artifact Storage Key XSS Vulnerability. Fixes #12670 #12671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JerT33 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(frontend): Patch Artifact Storage Key XSS Vulnerability. Fixes #12670 #12671

JerT33 wants to merge 1 commit into from

Conversation

@JerT33
Copy link
Contributor

@JerT33 JerT33 commented Jan 17, 2026
edited
Loading

Description of your changes:

  • Add isAllowedObjectKey() validation function in utils.ts
  • Validate keys in getArtifactsHandler()
    • This implementation should then patch this vuln for all source types
  • Add tests for normal and long scripts

Live Cluster Testing Evidence
Endpoint:
/pipeline/artifacts/get?source=minio&bucket=mlpipeline&key=%3Cscript%3Ealert(1)%3C%2Fscript%3Eaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Before:
Screenshot 2026-01-17 at 5 45 26 PM

After:
Screenshot 2026-01-17 at 5 46 07 PM

Checklist:

@google-oss-prow
Copy link

google-oss-prow bot commented Jan 17, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@google-oss-prow
Copy link

google-oss-prow bot commented Jan 17, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign chensun for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@JerT33 JerT33 force-pushed the feat/patch_storage_key_xss branch 2 times, most recently from 9163ea7 to 37fd22c Compare January 17, 2026 22:54
@JerT33 JerT33 mentioned this pull request Jan 18, 2026
Open
@JerT33 JerT33 marked this pull request as ready for review January 18, 2026 17:05
@JerT33 JerT33 force-pushed the feat/patch_storage_key_xss branch from 37fd22c to 39c4f64 Compare January 18, 2026 18:11
@JerT33 @droctothorpe
add valid key checks
1ba052c 
Signed-off-by: JerT33 <[email protected]>

format code

Signed-off-by: JerT33 <[email protected]>

change error response to 500

Signed-off-by: JerT33 <[email protected]>
@droctothorpe droctothorpe force-pushed the feat/patch_storage_key_xss branch from 39c4f64 to 1ba052c Compare January 29, 2026 15:14
droctothorpe
droctothorpe reviewed Jan 29, 2026
View reviewed changes
frontend/server/utils.ts
}

export function isAllowedObjectKey(key: string): boolean {
return key.length > 0 && key.length <= 1024 && /^[a-zA-Z0-9\/\-_.]+$/.test(key);
Copy link
Collaborator

@droctothorpe droctothorpe Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you validate that this doesn't inadvertently exclude characters that are permitted by S3 / GC / ABS? Thanks!

Copy link
Collaborator

@droctothorpe droctothorpe Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be worth looking into idiomatic typescript implementations around guarding against XSS. This might not be something that you have to define yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@droctothorpe droctothorpe droctothorpe left review comments

@mprahl mprahl Awaiting requested review from mprahl

Assignees

No one assigned

Labels

size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JerT33 @droctothorpe