search

canonical / ubuntu-com-security-api

The API for CVEs and USNs data.
17 stars 9 forks source link

CVEs website with links with extra text gets a broken redirection #81

Open rodrigoffzz opened 2 years ago

rodrigoffzz commented 2 years ago

Summary

Hi. When we have a CVE that has a link with extra text in parenthesis in either the Bugs or References sections, it gets an incorrect link redirection because it adds the extra text to the links. We are wondering if that is something that might be fixed, please.

In summary, when we have a http://link.to.something (notes) we would like to have the link shown in the page as http://link.to.something (notes) but the redirection to http://link.to.something

Example: https://ubuntu.com/security/CVE-2014-4607

Process

Access a CVE with links in Bugs and/or References with extra text in parenthesis and try to access that link.

Current and expected result

From the example above (https://ubuntu.com/security/CVE-2014-4607)

Current web source

<li><a href="https://bugs.launchpad.net/ubuntu/+source/krfb/+bug/1352421 (krfb)">https://bugs.launchpad.net/ubuntu/+source/krfb/+bug/1352421 (krfb)</a></li>

Expected web source

<li><a href="https://bugs.launchpad.net/ubuntu/+source/krfb/+bug/1352421">https://bugs.launchpad.net/ubuntu/+source/krfb/+bug/1352421 (krfb)</a></li>

Extra comments

There was a python pseudocode suggestion that was used to discuss this issue with @mtruj013 in mattermost some days ago that I would like to add here in case it helps:

{% for reference in cve.references %}
    reference_link = reference

    {% if ' (' in reference  %}
        reference_link = reference[0:reference.index(' (')].strip()
    {% endif %}

    <li><a href="{{ reference_link }}">{{ reference }}</a></li> 
{% endfor %}

....

{% for bug in cve.bugs %}
    bug_link = bug

    {% if ' (' in bug  %}
        bug_link = bug[0:bug.index(' (')].strip()
    {% endif %}

    <li><a href="{{ bug_link }}">{{ bug }}</a></li>
{% endfor %}
rodrigoffzz commented 2 years ago

excuse me, can someone please take a look at this? we have some broken links and I think that we could enhance our users experience if we fix it, not sure what the "Question" label means here...

I've seen a good example of that: https://ubuntu.com/security/CVE-2017-9814 on the Bugs section, the first link has a note saying "(main bug)" and when we click on it, we are redirected to a login page. an user might think that there is confidential information behind it, but the problem is the link itself, if we remove the (main bug) from the link, it works as expected.

looking forward to your reply.

rodrigoffzz commented 2 years ago

hi @nottrobin @mtruj013, as you have fixed other security web interface issue, I'm kindly pinging you to check if it is possible to have someone looking at this one as well. Thanks!

nottrobin commented 2 years ago

Hmm I'm sure we've already discussed this and might have started work on a fix for it or something. @mtruj013 might know more when she gets back to work. There's probably another issue somewhere that we should link this one to. I had a look over on ubuntu.com, there's similar ones but not sure I found the exact one I was thinking of.

The proper fix here is to change the API schema. We shouldn't be just packing extra information into fields that are supposed to contain pure links. Maybe the API should actually check if the link is valid when you try to create a new record, and reject it if it's not. If you want "notes" to appear alongside links then that should be explicitly designed as part of the APIs schema.

cengiz-io commented 3 weeks ago

This is still a big nuisance even with the new UCT design.