Open Bug 1895619 Opened 1 year ago Updated 1 year ago

TreeHerder shouldn't linkify domain-name-looking strings in commit messages

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: dholbert, Unassigned)

Details

Attachments

(1 file)

screenshot showing the improperly-linkified token 1 year ago Daniel Holbert [:dholbert] 47.83 KB, image/png		Details

Daniel Holbert [:dholbert]

Reporter

Description

•

1 year ago

•

Edited

I just pushed a try run that happened to mention runreftest.py (a python script that lives in-tree) in the plaintext commit message, and I was surprised to see that TreeHerder automatically linkified that in its view of the push (with the link pointing to http://runreftest.py/ which has nothing to do with the runreftest.py script)

https://treeherder.mozilla.org/jobs?repo=try&revision=5b1fcf6a27aef44b63db13a624a202837224b584

(Thankfully http://runreftest.py/ seems to not be a valid/registered domain, so the linkification is ~harmless in this particular case; but it could be anything, really, and you could imagine attackers finding commonly used "foo.bar" terms in our commit messages and squatting on the resulting pages, hoping for stray clicks.)

Could we turn off whatever is doing the linkification here? (or make it stricter about what-gets-linkified to only include actual URIs that start with http/https)?

Daniel Holbert [:dholbert]

Reporter

Comment 1

•

1 year ago

Attached image screenshot showing the improperly-linkified token — Details

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TreeHerder shouldn't linkify domain-name-looking strings in commit messages

Categories

(Tree Management :: Treeherder, defect)

Tracking

(Not tracked)

People

(Reporter: dholbert, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Attachment

General

Description

File Name

Content Type