Apply Git branch dropdown select

[vinokurig]

What does this PR do?

• Fetch list of the repository's branches by executing git ls-remote <repo url>
• Reveal the Git branches list to the dropdown in the Git Branch section:

Screenshot/screencast of this PR

What issues does this PR fix or reference?

fixes eclipse-che/che#23171

Is it tested? How?

1. Deploy che with the pull request image: quay.io/eclipse/che-dashboard:pr-
2. Paste a Git repository URL to the Import from Git section.
3. Go to Git Repo Options and click the Git Branch dropdown, see: Git branches list is revealed.
4. Choose a Git branch from the list, see: the git branch is applied to the repository URL.
5. Edit the repository URL to be invalid e.g. https://github.com/vinokurig/t, see: empty branch list warning is shown:

Release Notes

Docs PR

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vinokurig

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[che-bot]

Click here to review and test in web IDE:

[akurinnoy]

@vinokurig please sanitize the url to prevent injections.

[vinokurig]

I don't think we need to do anything with URLs here; moreover, modifying the URL here can add some edge cases.

[olexii4]

I think the best approach to protect backend just to validate the target URL with provider patterns:

/packages/dashboard-frontend/src/store/Workspaces/Preferences/helpers.ts

export const gitProviderPatterns = {
  github: {
    https: /^https:\/\/github\.com\/([^\\/]+\/[^\\/]+)(?:\/.*)?$/,
    ssh: /^(?:(?:git\+)?ssh:\/\/)?git@github\.com:([^\\/]+\/[^\\/]+?)(?:\.git)?$/,
  },
  gitlab: {
    https: /^https:\/\/gitlab\.com\/([^\\/]+\/[^\\/]+)(?:\/.*)?$/,
    ssh: /^(?:(?:git\+)?ssh:\/\/)?git@gitlab\.com:([^\\/]+\/[^\\/]+?)(?:\.git)?$/,
  },
  bitbucket: {
    https: /^https:\/\/bitbucket\.org\/([^\\/]+\/[^\\/]+)(?:\/.*)?$/,
    ssh: /^(?:(?:git\+)?ssh:\/\/)?git@bitbucket\.org:([^\\/]+\/[^\\/]+?)(?:\.git)?$/,
  },
  azureDevOps: {
    https: /^https:\/\/(?:\w+@)?dev\.azure\.com\/([^\\/]+\/[^\\/]+\/_git\/[^\\/]+?)(?:\?.*)?$/,
    ssh: /^(?:ssh:\/\/)?git@ssh\.dev\.azure\.com:v3\/([^\\/]+\/[^\\/]+\/[^\\/]+)(?:\/[^\\/]+)?$/,
  },
};

If it is valid - execute code. If not - return the proper error.

@akurinnoy WDYT?

[olexii4]

I think we could also add a time-limited cashing option here. Since multiple users may be requesting the same repository(It is optional)

[vinokurig]

With this we will limit the functionality to just 4 supported git providers, server version of supported git providers will not be included. On the other hand, this will protect the dashboard container from executing git ls-remote with suspicious urls.
My proposal is to add a simple http https ssh validation and probably a character quantity limit.
@akurinnoy @svor We need to make a decision here: limited functionality or security protection.

[svor]

we have to support GitLab and Bitbucket servers as well. This providers may have custom host URLs, I'm not sure if the pattern provided above will work

[akurinnoy]

@olexii4 @vinokurig @svor I would also prefer more general URL validation to exclude possible injections.

@olexii4 Regarding the server-side caching, I would rather disagree, because this will introduce security issues. But, the client-side cashing sounds reasonable to me.

[github-actions]

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1416

kubectl patch command

kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1416", name: che-dashboard}]}}]"

[codecov]

Codecov Report

❌ Patch coverage is 84.75452% with 59 lines in your changes missing coverage. Please review.
✅ Project coverage is 92.14%. Comparing base (239203a) to head (2f4b92c).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...d-frontend/src/components/ImportFromGit/helpers.ts	50.00%	18 Missing ⚠️
...tend/src/services/backend-client/gitBranchesApi.ts	79.31%	16 Missing and 2 partials ⚠️
...nd/src/devworkspaceClient/services/helpers/exec.ts	10.52%	17 Missing ⚠️
.../dashboard-backend/src/services/gitClient/index.ts	91.17%	3 Missing ⚠️
...cordion/GitRepoOptions/GitBranchDropdown/index.tsx	97.43%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1416      +/-   ##
==========================================
- Coverage   92.18%   92.14%   -0.04%     
==========================================
  Files         511      514       +3     
  Lines       47614    47926     +312     
  Branches     3432     3472      +40     
==========================================
+ Hits        43891    44161     +270     
- Misses       3682     3726      +44     
+ Partials       41       39       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

The safest and most effective fix is to validate the url argument in the getBranches function before invoking the run command. This ensures that it cannot begin with a dash (i.e., -) or contain a string that would cause it to be interpreted as a git option rather than a repository address. The validation should accept only valid Git remote URLs (e.g., those beginning with git@, http://, https://, ssh://, or that conform to accepted address formats), and reject any value that could be used for command injection.
The change should be made directly inside the getBranches function, as that is the main sink for the tainted value.
The fix requires either a simple check (rejecting any value that starts with a dash), or a more rigorous check (accepting only URLs that match expected patterns).

---

[github-actions]

Docker image build succeeded: quay.io/eclipse/che-dashboard:pr-1416

kubectl patch command

kubectl patch -n eclipse-che "checluster/eclipse-che" --type=json -p="[{"op": "replace", "path": "/spec/components/dashboard/deployment", "value": {containers: [{image: "quay.io/eclipse/che-dashboard:pr-1416", name: che-dashboard}]}}]"

[svor]

Don’t forget to include Git in the downstream image

[vinokurig]

done, see https://gitlab.cee.redhat.com/codeready-workspaces/devspaces-images/-/merge_requests/1442

[akurinnoy]

Please, use async/await for better readability and maintainability.

[vinokurig]

We need to define the promises explicitly for the Promise.race function.

[akurinnoy]

Please, use async/await for better readability and maintainability.

[akurinnoy]

Please, use async/await for better readability and maintainability.