Skip to content

fix(workflow-renderer): validate dropbox host in note embed renderer#5288

Merged
waleedlatif1 merged 2 commits into
stagingfrom
worktree-code-scanning-review
Jun 30, 2026
Merged

fix(workflow-renderer): validate dropbox host in note embed renderer#5288
waleedlatif1 merged 2 commits into
stagingfrom
worktree-code-scanning-review

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Replace the bare url.includes('dropbox.com') check in the note embed renderer with a parsed-hostname match (dropbox.com or *.dropbox.com)
  • Add a small parseHostname() helper that safely parses the URL and lowercases the host
  • Resolves CodeQL js/incomplete-url-substring-sanitization (alert feat(linear): added Linear tool #430): previously https://dropbox.com.evil.com/x.mp4 or https://evil.com/?dropbox.com/x.mp4 would be treated as a direct dropbox video and embedded from an attacker host

Type of Change

  • Bug fix (security)

Testing

Tested manually; tsc --noEmit on packages/workflow-renderer passes

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Replace the bare url.includes('dropbox.com') check with a parsed-hostname
match so attacker-controlled hosts (dropbox.com.evil.com, evil.com/?dropbox.com)
no longer get treated as direct dropbox videos. Resolves CodeQL
js/incomplete-url-substring-sanitization (#430).
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jun 30, 2026 5:12pm

Request Review

@cursor

cursor Bot commented Jun 30, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Security fix in embed URL handling limits where <video> can load media; behavior change for edge-case URLs that previously matched the loose substring check.

Overview
Hardens Dropbox video embeds in note markdown links by replacing a substring check (url.includes('dropbox.com')) with URL parsing and strict hostname rules.

New helpers parseUrl (scheme-less tolerant) and getDropboxDirectVideoUrl only accept dropbox.com or *.dropbox.com, require a video extension on the path, then rewrite to dl.dropboxusercontent.com and strip dl query params. Malicious hosts like dropbox.com.evil.com or query-string tricks no longer produce embeddable direct video URLs.

Reviewed by Cursor Bugbot for commit fe9abae. Configure here.

@greptile-apps

greptile-apps Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR tightens Dropbox video embeds in the note renderer. The main changes are:

  • Parses note embed URLs before checking the host.
  • Allows only dropbox.com and Dropbox subdomains for Dropbox video handling.
  • Rewrites accepted Dropbox video links to dl.dropboxusercontent.com.
  • Keeps scheme-less Dropbox links working by assuming https://.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
packages/workflow-renderer/src/note/note-block-view.tsx Adds parsed Dropbox URL handling and direct-link rewriting for note video embeds.

Reviews (2): Last reviewed commit: "fix(workflow-renderer): rewrite dropbox ..." | Re-trigger Greptile

Comment thread packages/workflow-renderer/src/note/note-block-view.tsx Outdated
Comment thread packages/workflow-renderer/src/note/note-block-view.tsx Outdated
…e scheme-less links

Derive the direct video URL from the parsed URL object (rewrite hostname to
dl.dropboxusercontent.com for any dropbox.com/*.dropbox.com host) instead of a
www-only string replace, and accept scheme-less links. Fixes broken embeds for
m.dropbox.com / bare-host links flagged in review.
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit fe9abae. Configure here.

@waleedlatif1 waleedlatif1 merged commit 4298e57 into staging Jun 30, 2026
10 of 11 checks passed
@waleedlatif1 waleedlatif1 deleted the worktree-code-scanning-review branch June 30, 2026 17:11
waleedlatif1 added a commit that referenced this pull request Jun 30, 2026
…n util

- Extract getEmbedInfo/EmbedInfo into pure @sim/utils/media-embed (carries the
  PR #5288 dropbox host-validation hardening); repoint the note block to it
- Add LinkEmbed: a ProseMirror widget-decoration plugin that renders media
  players (YouTube, Vimeo, Spotify, Dropbox, …) beneath standalone links in the
  rich markdown editor, in both editing and read-only surfaces. The document
  stays a plain markdown link, so markdown round-trips stay lossless
- Gate embeds behind an opt-in flag (on for the file editor, off for modal fields)
- Polish the knowledge chunk editor to the file editor's centered reading frame
  while keeping it plaintext for exact embedding fidelity
waleedlatif1 added a commit that referenced this pull request Jun 30, 2026
…n util (#5290)

* feat(rich-markdown-editor): live media embeds + shared embed detection util

- Extract getEmbedInfo/EmbedInfo into pure @sim/utils/media-embed (carries the
  PR #5288 dropbox host-validation hardening); repoint the note block to it
- Add LinkEmbed: a ProseMirror widget-decoration plugin that renders media
  players (YouTube, Vimeo, Spotify, Dropbox, …) beneath standalone links in the
  rich markdown editor, in both editing and read-only surfaces. The document
  stays a plain markdown link, so markdown round-trips stay lossless
- Gate embeds behind an opt-in flag (on for the file editor, off for modal fields)
- Polish the knowledge chunk editor to the file editor's centered reading frame
  while keeping it plaintext for exact embedding fidelity

* fix(media-embed): gate provider detection on parsed hostname

Validate each platform against the URL's parsed host before extracting, so a
look-alike host (youtube.com.evil.com) or a provider domain in the path
(evil.com/youtube.com/...) can no longer render a trusted-looking embed. Dropbox
is no longer a special case — all providers share the hostMatches gate. Also
consolidates the five Spotify branches and orders Twitch clip before channel.

* fix(rich-markdown-editor): unique widget key per duplicate embed URL

Key embed widgets by source + per-source occurrence index so two standalone
links to the same URL render as two distinct players instead of collapsing into
one, while keeping the key stable across unrelated edits (no iframe reload).

* refactor(media-embed): tighten comments and drop a redundant guard

- Drop the redundant paragraph type-check in getStandaloneLinkHref (the caller
  already filters to paragraphs) and rename the param for clarity
- Remove an inline comment and a TSDoc sentence that restated logic documented
  elsewhere
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant