Skip to content

Cherry pick browser request validation improvements#59045

Merged
aslonnie merged 5 commits into
ray-project:releases/2.51.2from
edoakes:eoakes/cp-2.51.2
Nov 28, 2025
Merged

Cherry pick browser request validation improvements#59045
aslonnie merged 5 commits into
ray-project:releases/2.51.2from
edoakes:eoakes/cp-2.51.2

Conversation

richo-anyscale and others added 4 commits November 27, 2025 14:04
This causes the dashboard to be more thorough in it's attempts to deny
browsers access to the job creation APIs

---------

Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Getting rid of the excessive `while True` loops & timeouts in the tests
(we already wait for the dashboard to be up).

Also just cleaned up some comments and naming while I was poking around.

---------

Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
…jection logic (ray-project#59042)

## Description
Adds more headers to the denylist for recognising browser requests and
denying them

## Related issues
Supercedes ray-project#59040

Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
@edoakes edoakes requested a review from a team as a code owner November 27, 2025 20:07
@edoakes edoakes added the go add ONLY when ready to merge, run all tests label Nov 27, 2025

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly improves the browser request validation by incorporating more robust heuristics, which enhances security against CSRF-like attacks. The changes are accompanied by a comprehensive set of test cases, which is great to see. I have a couple of suggestions to improve the maintainability of the new code.

Comment thread python/ray/dashboard/optional_utils.py
Comment thread python/ray/dashboard/tests/test_dashboard.py
@ray-gardener ray-gardener Bot added serve Ray Serve Related Issue core Issues that should be addressed in Ray Core labels Nov 28, 2025
@aslonnie

Copy link
Copy Markdown
Contributor

the python 3.10 failure is related to the click thing. force merging.

@aslonnie

Copy link
Copy Markdown
Contributor

actually, let me wait for the other core tests to finish.

@aslonnie

Copy link
Copy Markdown
Contributor

merging now.

@aslonnie aslonnie merged commit 9ac1e61 into ray-project:releases/2.51.2 Nov 28, 2025
4 of 6 checks passed
weiquanlee pushed a commit to antgroup/ant-ray that referenced this pull request Dec 11, 2025
Cherry pick ray-project#58553 ray-project#58648 ray-project#59042

---------

Signed-off-by: Richo Healey <richo@anyscale.com>
Signed-off-by: Edward Oakes <ed.nmi.oakes@gmail.com>
Co-authored-by: richo-anyscale <richo@anyscale.com>
Co-authored-by: Lonnie Liu <95255098+aslonnie@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core Issues that should be addressed in Ray Core go add ONLY when ready to merge, run all tests serve Ray Serve Related Issue

4 participants