fix: DOM-based XSS in job and notebook source URLs

[caponetto]

Related Issues/PRs

Closes #21231

What changes are proposed in this pull request?

• Reuse existing isValidHttpUrl in getJobSourceUrl and getNotebookSourceUrl to reject non-http/https URI schemes, preventing DOM-based XSS (CWE-79) via javascript:, data:, or vbscript: URLs in dynamic href attributes
• Add early return in renderJobSource and renderNotebookSource to fall back to plain text when the URL is unsafe
• Add string | null type annotation to workspaceUrl parameters across all four affected functions
• Add tests covering safe URLs, dangerous schemes, and render fallback behavior

How is this patch tested?

• Unit tests verify that getJobSourceUrl and getNotebookSourceUrl return empty string for unsafe workspace URLs
• Unit tests verify that renderJobSource and renderNotebookSource render plain text (no anchor tag) when given a malicious workspace URL

How is this PR tested?

• Existing unit/integration tests
• New unit/integration tests
• Manual tests

Does this PR require documentation update?

• No. You can skip the rest of this section.
• Yes. I've updated:
  • Examples
  • API references
  • Instructions

Does this PR require updating the MLflow Skills repository?

• No. You can skip the rest of this section.
• Yes. Please link the corresponding PR or explain how you plan to update it.

Release Notes

Is this a user-facing change?

• No. You can skip the rest of this section.
• Yes. Give a description of this change to be included in the release notes for MLflow users.

Fixed a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) where unsanitized workspace URLs could be injected into href attributes when rendering notebook and job source links. URLs are now validated to only allow http and https protocols; unsafe URLs are rendered as plain text instead of clickable links.

What component(s), interfaces, languages, and integrations does this PR affect?

Components

• area/tracking: Tracking Service, tracking client APIs, autologging
• area/models: MLmodel format, model serialization/deserialization, flavors
• area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• area/evaluation: MLflow model evaluation features, evaluation metrics, and evaluation workflows
• area/gateway: MLflow AI Gateway client APIs, server, and third-party integrations
• area/prompts: MLflow prompt engineering features, prompt templates, and prompt management
• area/tracing: MLflow Tracing features, tracing APIs, and LLM tracing functionality
• area/projects: MLproject format, project running backends
• area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• area/build: Build and test infrastructure for MLflow
• area/docs: MLflow documentation pages

How should the PR be classified in the release notes? Choose one:

• rn/none - No description will be included. The PR will be mentioned only by the PR number in the "Small Bugfixes and Documentation Updates" section
• rn/breaking-change - The PR will be mentioned in the "Breaking Changes" section
• rn/feature - A new user-facing feature worth mentioning in the release notes
• rn/bug-fix - A user-facing bug fix worth mentioning in the release notes
• rn/documentation - A user-facing documentation change worth mentioning in the release notes

Should this PR be included in the next patch release?

Yes should be selected for bug fixes, documentation updates, and other small changes. No should be selected for new features and larger changes. If you're unsure about the release classification of this PR, leave this unchecked to let the maintainers decide.

What is a minor/patch release?

• Minor release: a release that increments the second part of the version number (e.g., 1.2.0 -> 1.3.0).
  Bug fixes, doc updates and new features usually go into minor releases.
• Patch release: a release that increments the third part of the version number (e.g., 1.2.0 -> 1.2.1).
  Bug fixes and doc updates usually go into patch releases.

• Yes (this PR will be cherry-picked and included in the next patch release)
• No (this PR will be included in the next minor release)

[github-actions]

🛠 DevTools 🛠

Install mlflow from this PR

# mlflow
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/21175/merge
# mlflow-skinny
pip install git+https://github.com/mlflow/mlflow.git@refs/pull/21175/merge#subdirectory=libs/skinny

For Databricks, use the following command:

%sh curl -LsSf https://raw.githubusercontent.com/mlflow/mlflow/HEAD/dev/install-skinny.sh | sh -s pull/21175/merge

[Copilot]

Pull request overview

This PR addresses a DOM-based Cross-Site Scripting (XSS) vulnerability (CWE-79) in the MLflow UI by adding URL sanitization for workspace URLs used in job and notebook source links. The vulnerability allowed attackers to inject malicious URLs with dangerous protocols (javascript:, data:, vbscript:) that would execute when users clicked on source links.

Changes:

• Added sanitizeUrl() utility function that validates URLs to only allow http/https protocols
• Applied sanitization to getJobSourceUrl() and getNotebookSourceUrl() to block dangerous workspace URLs
• Updated renderJobSource() and renderNotebookSource() to render plain text instead of links when URLs fail sanitization
• Added comprehensive test coverage for URL sanitization and fallback behavior

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
mlflow/server/js/src/common/utils/Utils.tsx	Added sanitizeUrl function and applied it to getJobSourceUrl and getNotebookSourceUrl; updated render functions to handle empty URLs
mlflow/server/js/src/common/utils/Utils.test.tsx	Added comprehensive tests for sanitizeUrl, URL sanitization in get*SourceUrl functions, and render fallback behavior

[github-actions]

Documentation preview for e3a20b8 is available at:

• https://pr-21175--mlflow-docs-preview.netlify.app/docs/latest/

More info

• Ignore this comment if this PR does not change the documentation.
• The preview is updated when a new commit is pushed to this PR.
• This comment was created by this workflow run.
• The documentation was built by this workflow run.

[WeichenXu123]

Overall good. Could you address the comment? and then I can approve and merge it.

[caponetto]

@WeichenXu123 Thanks for the review! Requested changes are in.