feat(sagemaker): Added the validation for refresh url and updated the uri handler#8806
feat(sagemaker): Added the validation for refresh url and updated the uri handler#8806msgupta-amazon wants to merge 1 commit into
Conversation
|
⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done |
|
|
✅ I finished the code review, and didn't find any security or code quality issues. |
| function isValidReconnectUrl(refreshUrl: string): boolean { | ||
| try { | ||
| const parsed = new URL(refreshUrl) | ||
| if (parsed.protocol === 'http:') { |
There was a problem hiding this comment.
can we add a comment for when this happens? is this for deeplink from cluster?
There was a problem hiding this comment.
No, this basically checks the refresh url sent by the MFE
There was a problem hiding this comment.
This check is for local debugging.
| return parsed.hostname === 'localhost' || parsed.hostname === '127.0.0.1' | ||
| } | ||
| if (parsed.protocol === 'https:') { | ||
| return parsed.hostname.endsWith('.sagemaker.aws') || parsed.hostname.endsWith('.asfiovnxocqpcry.com') |
There was a problem hiding this comment.
This is the demo domain name used in the package for test cases.
| } | ||
| } | ||
|
|
||
| function isValidReconnectUrl(refreshUrl: string): boolean { |
There was a problem hiding this comment.
FYI if it makes things easier- we can always move the validation to a seperate PR. i'd recommend it since it's a totally separate change.
There was a problem hiding this comment.
This is the separate PR right for the validation.
3 participants
##Problem
When Cursor (cursor://) or Kiro (kiro://) handle deep link URIs, their OS protocol handlers percent-encode the query string delimiters before delivering the URI to the extension:
This causes URLSearchParams to see the entire query as a single malformed parameter, so fields like refreshUrl, sessionId, and streamUrl cannot be parsed. As a result, reconnection never works for Cursor/Kiro — the refreshUrl is lost and the toolkit cannot trigger browser-based session refresh.
VS Code does not exhibit this behavior — it preserves real delimiters in the query string.
##Solution
After the existing + → %2B and & → & normalizations, decode %3D → = and %26 → & in the query string (only after the ?, not in the path) before constructing the URL object.
This is a no-op for VS Code (which never has %3D/%26 as encoded delimiters in the query), so existing Studio and HyperPod VS Code flows are unaffected.
##Testing
Note: This PR is a follow up of the main PR: #8779
Hence, it will not include changelog entry.
feature/xbranches will not be squash-merged at release time.