feature(x2a): AAP Project now linked as artifact on UI #2439
Open
elai-shalev wants to merge 2 commits intoredhat-developer:mainfrom
Open
feature(x2a): AAP Project now linked as artifact on UI #2439elai-shalev wants to merge 2 commits intoredhat-developer:mainfrom
elai-shalev wants to merge 2 commits intoredhat-developer:mainfrom
Conversation
elai-shalev
changed the title
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
Review Summary by QodoUpdate AAP artifact URL publishing and labeling
WalkthroughsDescription• Update artifact labels from "Ansible Project" to "AAP Project" across all translations • Modify AAP artifact to use direct project URL instead of local path • Parse AAP project ID from publish-aap output to construct clickable URL • Simplify ansible_project artifact rendering in UI components Diagramflowchart LR
A["publish-aap script"] -->|Parse project ID| B["AAP URL construction"]
B -->|artifact.value| C["ArtifactsCard component"]
C -->|Direct link| D["AAP Controller URL"]
E["Translation files"] -->|AAP Project label| C
File Changes1. workspaces/x2a/plugins/x2a/src/translations/de.ts
|
Code Review by Qodo
1. Unvalidated AAP artifact URL
|
|
![rhdh-qodo-merge[bot]](https://avatars.githubusercontent.com/in/1961108?s=60&v=4){kind=small}
Comment on lines
+42
to
49
| const url = | ||
| artifact.type === 'ansible_project' | ||
| ? artifact.value | ||
| : buildArtifactUrl(artifact.value, targetRepoUrl, targetRepoBranch); | ||
| return ( | ||
| <Link | ||
| to={buildArtifactUrl(artifact.value, targetRepoUrl, targetRepoBranch)} | ||
| to={url} | ||
| target="_blank" |
There was a problem hiding this comment.
1. Unvalidated aap artifact url 🐞 Bug ⛨ Security
The UI now renders ansible_project using artifact.value directly as a link, while the backend accepts aapCredentials.url as an arbitrary string and passes it into the job env. A malformed or malicious URL (missing scheme, //host, or non-http(s) schemes) can create broken links or an open-redirect-style phishing vector when users click the artifact.
Agent Prompt
### Issue description
`ansible_project` artifacts are now rendered as raw URLs (`artifact.value`) in the UI, but the backend currently accepts AAP `url` as an unconstrained string and propagates it into artifact generation. This can lead to malformed links and enables open-redirect-style phishing if a crafted URL is stored.
### Issue Context
- Backend accepts `aapCredentials.url` from requests and uses it to set `AAP_CONTROLLER_URL`.
- Job script builds the returned artifact URL from `AAP_CONTROLLER_URL`.
- Frontend renders the returned `ansible_project` artifact via `<Link to={artifact.value}>`.
### Fix Focus Areas
- workspaces/x2a/plugins/x2a-backend/src/router/modules.ts[210-232]
- workspaces/x2a/plugins/x2a-backend/src/services/JobResourceBuilder.ts[47-87]
- workspaces/x2a/plugins/x2a-backend/templates/x2a-job-script.sh[420-427]
- workspaces/x2a/plugins/x2a/src/components/ModuleTable/Artifacts.tsx[42-55]
- workspaces/x2a/plugins/x2a/src/components/ModulePage/ArtifactsCard.tsx[113-127]
### Implementation notes (non-exhaustive)
- Backend: change zod validation to require a real URL and restrict protocol to http/https (e.g., `z.string().url().refine(u => new URL(u).protocol in {"http:","https:"})`).
- Normalize by trimming trailing slash before persisting/using (or in the job script: `AAP_CONTROLLER_URL="${AAP_CONTROLLER_URL%/}"`).
- Frontend: for `ansible_project`, compute `href` like:
- if `value` starts with `http://` or `https://` => use it
- else => fallback to `buildArtifactUrl(value, targetRepoUrl, targetRepoBranch)` (covers older persisted artifacts / malformed values)
- if invalid => render text (no link) or render a safe fallback page link.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Member
|
Can this wait for #2448 ? |
eloycoto
approved these changes
Mar 5, 2026
Contributor
|
@mareklibra ok |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow up of #2420
This PR will add the link to the Ansible Project in AAP as an artifact returned from the reporter