-
Notifications
You must be signed in to change notification settings - Fork 23
feat: add icon and description fields to workspace preset #422
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
@@ -93,6 +96,29 @@ func workspacePresetDataSource() *schema.Resource { | |||
Required: true, | |||
ValidateFunc: validation.StringIsNotEmpty, | |||
}, | |||
"description": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copied the schema definition for description and icon from the parameter schema (see https://github.com/coder/terraform-provider-coder/blob/main/provider/parameter.go#L184). Neither field currently has a size limit, but it might be good to add one to ensure the UI isn’t broken by overly large descriptions. Wdyt?
There is also a security consideration: we don’t seem to perform proper escaping or sanitization, which means it could be possible to inject HTML or JavaScript via the description. For the icon, since it’s used to fetch local files, we should be careful to prevent directory traversal attacks or other malicious paths.
Given that Coder typically runs on-premises, these risks might be lower, but it could still be a good practice to address them. Do we currently have any mechanisms in place to handle these concerns?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neither field currently has a size limit
Do you mean in the provider, or in the database?
For the icon, since it’s used to fetch local files
What do you mean by 'local' here? The icon is used by the UI, and the icons are generally hosted on the control plane, although I've seen people link to icons on other domains.
There is also a security consideration: we don’t seem to perform proper escaping or sanitization
Where specifically have you checked?
Do we currently have any mechanisms in place to handle these concerns?
Template admins have a good bit of power in a Coder deployment, so there is some element of trust related to allowing users to create templates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean in the provider, or in the database?
In both:
- provider:
terraform-provider-coder/provider/parameter.go
Lines 185 to 189 in d5496af
"description": { Type: schema.TypeString, Optional: true, Description: "Describe what this parameter does.", }, - database: https://github.com/coder/coder/blob/62dc8310d12fee1c4dab974b798cbcd3c9f0bfaf/coderd/database/dump.sql#L1545-L1549
I think it would make sense to add reasonable size limits to both description and icon, similar to what we do for templates
table:
- description (128): https://github.com/coder/coder/blob/main/coderd/database/dump.sql#L1727
- icon (256): https://github.com/coder/coder/blob/dd2fb896eb90406c606f21e09cdd7680821542e7/coderd/database/dump.sql#L1730
Wdyt?
What do you mean by 'local' here? The icon is used by the UI, and the icons are generally hosted on the control plane, although I've seen people link to icons on other domains.
By "local" I meant relative paths like /icon/region.svg
. Given that, someone could technically enter a path like ../../etc/passwd
or something similar.
Where specifically have you checked?
I tested the integration between the Terraform provider and Coder. I inserted a description with inline JavaScript and confirmed it was passed through and stored in the database. However, from my quick test, the UI seems to display the content as plain text and doesn’t interpret or render it as raw HTML, so that is good. I didn't test the icon path.
Template admins have a good bit of power in a Coder deployment, so there is some element of trust related to allowing users to create templates.
Totally agree. Given Coder is self-hosted and template creation is an admin-level task, I don't think this is a critical issue, more of an observation from working on this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would make sense to add reasonable size limits to both description and icon, similar to what we do for templates table
I think that's reasonable!
By "local" I meant relative paths like /icon/region.svg. Given that, someone could technically enter a path like ../../etc/passwd or something similar.
Right, but I don't think we would expose that in our static file server though. Might be no harm to sanitize the path though, good callout!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
non-blocking: ideally we should include an example in examples dir
name = "preset" | ||
description = "preset description" | ||
icon = "preset icon" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should we use rather realistic values?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I followed the naming convention used by the other parameters, as they follow a similar logic. Since this is an integration test, I don’t think adding realistic values here is necessary.
Description:
This PR adds two new optional fields to the
coder_workspace_preset
Terraform data source:icon
: A URL string pointing to an icon to display in the dashboard.description
: A text field describing the purpose of the preset.These fields help improve the user experience by allowing presets to be visually distinguished and better documented.
Changes:
icon
anddescription
to the Terraform schema forcoder_workspace_preset
.TestWorkspacePreset
.Related to: coder/coder#18111