Skip to content

Cherry pick browser request validation improvements #59045

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 28, 2025
Merged

Cherry pick browser request validation improvements #59045

merged 5 commits into from
Nov 28, 2025
+323 −43

Conversation

@edoakes
Copy link
Collaborator

@edoakes edoakes commented Nov 27, 2025
edited
Loading

richo-anyscale and others added 4 commits November 27, 2025 14:04
@richo-anyscale @edoakes
Add denial of fetch headers (ray-project#58553)
99e23d8 
This causes the dashboard to be more thorough in it's attempts to deny
browsers access to the job creation APIs

---------

Signed-off-by: Richo Healey <[email protected]>
Signed-off-by: Edward Oakes <[email protected]>
@edoakes
Cleanup dashboard test and header validation (ray-project#58648)
45b0c01 
Getting rid of the excessive `while True` loops & timeouts in the tests
(we already wait for the dashboard to be up).

Also just cleaned up some comments and naming while I was poking around.

---------

Signed-off-by: Edward Oakes <[email protected]>
@richo-anyscale @edoakes
[core] Test for more browser-specific headers in dashboard browser re…
9ca58e7 
…jection logic (ray-project#59042)

## Description
Adds more headers to the denylist for recognising browser requests and
denying them

## Related issues
Supercedes ray-project#59040

Signed-off-by: Richo Healey <[email protected]>
@edoakes
fix
0389d57 
Signed-off-by: Edward Oakes <[email protected]>
@edoakes edoakes requested a review from a team as a code owner November 27, 2025 20:07
@edoakes edoakes added the go add ONLY when ready to merge, run all tests label Nov 27, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly improves the browser request validation by incorporating more robust heuristics, which enhances security against CSRF-like attacks. The changes are accompanied by a comprehensive set of test cases, which is great to see. I have a couple of suggestions to improve the maintainability of the new code.

@ray-gardener ray-gardener bot added serve Ray Serve Related Issue core Issues that should be addressed in Ray Core labels Nov 28, 2025
@aslonnie
Copy link
Collaborator

aslonnie commented Nov 28, 2025

the python 3.10 failure is related to the click thing. force merging.

@aslonnie
Copy link
Collaborator

aslonnie commented Nov 28, 2025

actually, let me wait for the other core tests to finish.

@aslonnie
Copy link
Collaborator

aslonnie commented Nov 28, 2025

merging now.

@aslonnie aslonnie merged commit 9ac1e61 into ray-project:releases/2.51.2 Nov 28, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richo-anyscale richo-anyscale richo-anyscale approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@richo-anyscale richo-anyscale

@elliot-barn elliot-barn

Labels

core Issues that should be addressed in Ray Core go add ONLY when ready to merge, run all tests serve Ray Serve Related Issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@edoakes @aslonnie @richo-anyscale @elliot-barn