Skip to content

Localstack support for running locally #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DJAndries wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Localstack support for running locally #245

DJAndries wants to merge 1 commit into from
+65 −7

Conversation

@DJAndries
Copy link
Collaborator

@DJAndries DJAndries commented Mar 19, 2025

No description provided.

@DJAndries DJAndries requested review from mihaiplesa and mschfh March 19, 2025 17:09
mihaiplesa
mihaiplesa previously approved these changes Mar 19, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Mar 19, 2025
View reviewed changes
controller/controller.go
}
if jsonRequest {
http.Redirect(w, r, "https://"+host+"/service/update2/json"+queryString, http.StatusTemporaryRedirect)
http.Redirect(w, r, extension.ConstructURL(host, "/service/update2/json"+queryString), http.StatusTemporaryRedirect)
Copy link

@github-actions github-actions bot Mar 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] An HTTP redirect was found to be crafted from user-input r. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.

Source: https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect


Cc @thypon @kdenhartog

Copy link
Member

@kdenhartog kdenhartog Mar 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like these 2 are concerns that need to be addressed.

Also, please encode the query params

controller/controller.go
http.Redirect(w, r, extension.ConstructURL(host, "/service/update2/json"+queryString), http.StatusTemporaryRedirect)
} else {
http.Redirect(w, r, "https://"+host+"/service/update2"+queryString, http.StatusTemporaryRedirect)
http.Redirect(w, r, extension.ConstructURL(host, "/service/update2"+queryString), http.StatusTemporaryRedirect)
Copy link

@github-actions github-actions bot Mar 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] An HTTP redirect was found to be crafted from user-input r. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.

Source: https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect


Cc @thypon @kdenhartog

@DJAndries DJAndries enabled auto-merge March 19, 2025 19:25
@DJAndries DJAndries force-pushed the add-docker-compose branch from b861acb to 9829379 Compare March 19, 2025 21:34
mschfh
mschfh reviewed Mar 19, 2025
View reviewed changes
misc/create_in_localstack.sh
--table-name Extensions \
--attribute-definitions AttributeName=ID,AttributeType=S \
--key-schema AttributeName=ID,KeyType=HASH \
--provisioned-throughput ReadCapacityUnits=10,WriteCapacityUnits=10 || true
Copy link
Contributor

@mschfh mschfh Mar 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we (optionally) add some example data?

Copy link
Collaborator Author

@DJAndries DJAndries Mar 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that simply invoking the brave-core-crx-packager would be sufficient, rather than adding some insert commands and including a crx blob in the repo. thoughts?

Copy link
Contributor

@mschfh mschfh Mar 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't include the crx blob itself, just the metadata in DDB for testing the API (since go-update doesn't handle the actual blobs).

For a full test, the crx could still be built/uploaded separately.

Copy link
Collaborator Author

@DJAndries DJAndries Mar 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would allow the user to curl the API, but it wouldn't allow a user to test the solution e2e using the browser

@mihaiplesa mihaiplesa requested a review from jwadolowski April 4, 2025 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mschfh mschfh mschfh left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@mihaiplesa mihaiplesa mihaiplesa left review comments

@jwadolowski jwadolowski Awaiting requested review from jwadolowski jwadolowski is a code owner

+1 more reviewer

@kdenhartog kdenhartog kdenhartog left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@thypon thypon

@kdenhartog kdenhartog

Labels

needs-security-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DJAndries @mihaiplesa @kdenhartog @mschfh @thypon