Skip to content

OCPBUGS-74140: Prevent Chinese characters from rendering as unicode escape sequences in alert messages #16156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sg00dwin wants to merge 2 commits into
base: main
Choose a base branch
from
+39 −3
Open

OCPBUGS-74140: Prevent Chinese characters from rendering as unicode escape sequences in alert messages #16156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
28a1ea5
Fix Chinese characters rendering as escape codes in alert messages
sg00dwin Mar 16, 2026
7e34460
Address review comments
sg00dwin Mar 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion frontend/packages/console-dynamic-plugin-sdk/src/utils/fetch/__tests__/console-fetch.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,30 @@
import { RetryError } from '../../error/http-error';
import { consoleFetch } from '../console-fetch';
import { shouldLogout, validateStatus } from '../console-fetch-utils';
import { shouldLogout, unescapeGoUnicode, validateStatus } from '../console-fetch-utils';

describe('unescapeGoUnicode', () => {
it('should unescape 4-digit Go unicode escapes', () => {
expect(unescapeGoUnicode('\\ue00f')).toBe('\ue00f');
expect(unescapeGoUnicode('\\ue4c8')).toBe('\ue4c8');
});

it('should unescape 8-digit Go unicode escapes for supplementary plane characters', () => {
expect(unescapeGoUnicode('\\U0002ebf0')).toBe(String.fromCodePoint(0x2ebf0));
expect(unescapeGoUnicode('\\U0002ebf1')).toBe(String.fromCodePoint(0x2ebf1));
});

it('should unescape mixed content with normal text and escapes', () => {
const input = 'a啊阿沸犯跃kg\\ue00f\\ue010\\ue011\\ue4c8丙乩h妖哪匸与f去\\U0002ebf0\\U0002ebf1';
const expected = `a啊阿沸犯跃kg\ue00f\ue010\ue011\ue4c8丙乩h妖哪匸与f去${String.fromCodePoint(
0x2ebf0,
)}${String.fromCodePoint(0x2ebf1)}`;
expect(unescapeGoUnicode(input)).toBe(expected);
});
Copy link
Contributor

@cajieh cajieh Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a test case for invalid/out-of-range escape sequences to ensure the function doesn't throw unexpectedly?


it('should not throw on out-of-range 8-digit escape sequences', () => {
expect(unescapeGoUnicode('\\UFFFFFFFF')).toBe('\\UFFFFFFFF');
});
});

describe('consoleFetch', () => {
const json = async () => ({
Expand Down
16 changes: 14 additions & 2 deletions frontend/packages/console-dynamic-plugin-sdk/src/utils/fetch/console-fetch-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,18 @@ export const shouldLogout = (url: string): boolean => {
return false;
};

/**
* Converts Go-style Unicode escape sequences (\uXXXX, \UXXXXXXXX) in K8s API error
* messages back to actual Unicode characters for proper display in the browser.
*/
export const unescapeGoUnicode = (str: string): string =>
str
.replace(/\\U([0-9a-fA-F]{8})/g, (match, hex) => {
const codePoint = parseInt(hex, 16);
return codePoint <= 0x10ffff ? String.fromCodePoint(codePoint) : match;
})
.replace(/\\u([0-9a-fA-F]{4})/g, (_, hex) => String.fromCodePoint(parseInt(hex, 16)));

export const validateStatus = async (
response: Response,
url: string,
Expand Down Expand Up @@ -183,7 +195,7 @@ export const validateStatus = async (
if (response.status === 403) {
return response.json().then((json) => {
throw new HttpError(
json.message || 'Access denied due to cluster policy.',
unescapeGoUnicode(json.message || 'Access denied due to cluster policy.'),
response.status,
response,
json,
Expand Down Expand Up @@ -217,6 +229,6 @@ export const validateStatus = async (
reason = response.statusText;
}

throw new HttpError(reason, response.status, response, json);
throw new HttpError(unescapeGoUnicode(reason), response.status, response, json);
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Apply unescape consistently in the 403 JSON error path as well.

Right now unescaping is only applied in this branch; the 403 branch still uses raw json.message, so escaped Unicode can still leak to users there.

💡 Proposed fix 
   if (response.status === 403) {
     return response.json().then((json) => {
       throw new HttpError(
-        json.message || 'Access denied due to cluster policy.',
+        unescapeGoUnicode(json.message || 'Access denied due to cluster policy.'),
         response.status,
         response,
         json,
       );
     });
   }
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@frontend/packages/console-dynamic-plugin-sdk/src/utils/fetch/console-fetch-utils.ts`
at line 229, The 403 JSON error branch still passes raw json.message into the
HttpError, so escaped Unicode can leak; update the 403 handling to call
unescapeGoUnicode(json.message) before constructing the HttpError (same as the
other branch that throws new HttpError(unescapeGoUnicode(reason), ...)). Locate
the 403 response branch in console-fetch-utils.ts and replace the raw
json.message usage with unescapeGoUnicode(json.message) when creating the
HttpError so both error paths behave consistently.

Copy link
Contributor

@cajieh cajieh Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix was applied here but not to the existing 403 handler above (line 194). Could Unicode escapes also appear in 403 json.message responses? If so, should we apply the same treatment there for consistency?

});
};