Re: [PR] fix(frontend): preserve absolute and protocol-relative URLs in ensureAppRoot [superset]

Tue, 03 Mar 2026 12:17:44 -0800 


bito-code-review[bot] commented on code in PR #38316:
URL: https://github.com/apache/superset/pull/38316#discussion_r2880280512


##########
superset-frontend/src/utils/pathUtils.ts:
##########
@@ -19,25 +19,44 @@
 import { applicationRoot } from 'src/utils/getBootstrapData';
 
 /**
- * Takes a string path to a resource and prefixes it with the application root 
that is
- * defined in the application configuration. The application path is sanitized.
- * @param path A string path to a resource
+ * Matches safe URI schemes that should pass through without an application 
root
+ * prefix. Only well-known schemes are allowed; unknown or dangerous schemes
+ * (e.g. javascript:, data:) are treated as relative paths and prefixed.
+ */
+const SAFE_ABSOLUTE_URL_RE = /^(https?|ftp|mailto|tel):/i;

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Missing blob scheme in URL regex</b></div>
   <div id="fix">
   
   The regex for safe URL schemes is missing 'blob:', which could break blob 
URLs if they're passed to ensureAppRoot. Blob URLs are used in the codebase for 
file downloads and should be allowed to pass through without prefixing.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ````suggestion
    const SAFE_ABSOLUTE_URL_RE = /^(https?|ftp|mailto|tel|blob):/i;
   ````
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #59f44f</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to