fix: preserve branch info and extract factory parameters correctly

Fixes #23666

PROBLEM:
--------
1. Branch was not taken into account when creating workspace with editor definition
   Example: https://github.com/user/repo/tree/feature?che-editor=che-code
   Result: workspace created from 'main' instead of 'feature'

2. Factory and override parameters were removed from URL but not passed to backend
   Example: https://github.com/user/repo?override.devfileFilename=custom.yaml
   Result: devfile filename override was lost

ROOT CAUSE:
-----------
Factory parameters in query string prevented backend from correctly parsing
branch information, and removed parameters were not extracted to overrideParams.

SOLUTION:
---------
Comprehensive URL sanitization with parameter extraction:

1. sanitizeUrlForFactoryResolver()
   - Returns { sanitizedUrl, extractedOverrideParams }
   - Extracts PROPAGATE_FACTORY_ATTRS to overrideParams
   - Extracts override.* parameters to overrideParams
   - Preserves branch info in URL path (/tree/branch)
   - For Azure DevOps: keeps version/path in URL AND extracts them
   - For SSH: extracts ALL params to overrideParams

2. getRepoFromLocation()
   - Extracts base repository URL without branches
   - Used for trusted sources comparison
   - Ensures any branch of trusted repo is recognized

3. factoryApi.ts
   - Uses sanitizeUrlForFactoryResolver()
   - Merges extracted params with existing overrideParams
   - Sends clean URL and complete overrideParams to backend

BEHAVIOR EXAMPLES:
------------------

HTTP with override params:
  Input:  https://github.com/user/repo?override.devfileFilename=custom.yaml&che-editor=che-code
  URL:    https://github.com/user/repo
  Params: { 'override.devfileFilename': 'custom.yaml', 'che-editor': 'che-code' }

HTTP with branch:
  Input:  https://github.com/user/repo/tree/feature?che-editor=che-code
  URL:    https://github.com/user/repo/tree/feature
  Params: { 'che-editor': 'che-code' }

Azure DevOps (provider-specific params preserved):
  Input:  https://dev.azure.com/org/proj/_git/repo?version=GBmain&che-editor=che-code
  URL:    https://dev.azure.com/org/proj/_git/repo?version=GBmain
  Params: { 'version': 'GBmain', 'che-editor': 'che-code' }

SSH (all params extracted):
  Input:  git@github.com:user/repo.git?revision=main&override.devfileFilename=custom.yaml
  URL:    git@github.com:user/repo.git
  Params: { 'revision': 'main', 'override.devfileFilename': 'custom.yaml' }

SECURITY FIX:
-------------
Implemented robust Azure DevOps domain detection using allowlist approach
to prevent URL spoofing attacks (GitHub Advanced Security alert).

isAzureDevOpsHost() with strict validation:
- Exact match: dev.azure.com
- Subdomain match: *.azure.com (requires >=3 parts, e.g., myorg.azure.com)
- Legacy support: *.visualstudio.com (requires >=3 parts)
- Blocks: azure.com alone, evil.azure.com.attacker.com, attacker.com/azure.com

TESTING:
--------
✅ 88 tests for sanitizeUrlForFactoryResolver (includes new merging tests)
✅ 45 tests for getRepoFromLocation (includes security tests)
✅ 14 tests for factoryApi (updated for new behavior)
✅ 2274 total tests pass
✅ 215 snapshots pass
✅ All linting checks pass

NEW FILES:
----------
- sanitizeUrlForFactoryResolver.ts (returns object with URL and params)
- sanitizeUrlForFactoryResolver.spec.ts (88 tests)
- getRepoFromLocation.ts (base repo extraction)
- getRepoFromLocation.spec.ts (45 tests)
- sanitizeLocation.ts (simple factory param removal)
- sanitizeLocation.spec.ts (10 tests)

MODIFIED FILES:
---------------
- factoryApi.ts (uses new sanitization, merges params)
- factoryApi.spec.ts (updated for extraction behavior)
- helpers.ts (isTrustedRepo with getRepoFromLocation)
- helpers.spec.ts (new tests for factory params)
- UntrustedSourceModal/index.tsx (saves base repo only)

Co-authored-by: GitHub Advanced Security <security@github.com>
Signed-off-by: Oleksii Orel <oorel@redhat.com>

Author: olexii4

packages/dashboard-frontend/src/components/UntrustedSourceModal/index.tsx

@@ -25,6 +25,7 @@ import React from 'react';
 import { connect, ConnectedProps } from 'react-redux';
 
 import { AppAlerts } from '@/services/alerts/appAlerts';
+import { getRepoFromLocation } from '@/services/helpers/factoryFlow/getRepoFromLocation';
 import { RootState } from '@/store';
 import { selectIsAllowedSourcesConfigured } from '@/store/ServerConfig/selectors';
 import { workspacePreferencesActionCreators } from '@/store/Workspaces/Preferences';
@@ -110,8 +111,8 @@ class UntrustedSourceModal extends React.Component<Props, State> {
     if (
       prevProps.isOpen === false &&
       this.props.isOpen === true &&
-      (isTrusted === true || isAllowedSourcesConfigured) &&
-      this.state.canContinue === true
+      (isTrusted || isAllowedSourcesConfigured) &&
+      this.state.canContinue
     ) {
       this.handleContinue();
     }
@@ -163,7 +164,10 @@ class UntrustedSourceModal extends React.Component<Props, State> {
     } else if (trustAllCheckbox) {
       await this.props.addTrustedSource('*');
     } else {
-      await this.props.addTrustedSource(location);
+      // Extract clean repository URL without branches and factory parameters
+      // This ensures we store only the base repo URL for comparison
+      const repoUrl = getRepoFromLocation(location);
+      await this.props.addTrustedSource(repoUrl);
     }
   }
 

packages/dashboard-frontend/src/pages/GetStarted/SamplesList/__tests__/index.spec.tsx

@@ -239,96 +239,6 @@ describe('Samples List', () => {
       );
     });
   });
-
-  describe('SSH URL handling', () => {
-    const preferredPvcStrategy = 'per-workspace';
-
-    test('should handle SSH URL with .git extension', async () => {
-      const sshUrl = 'git@github.com:eclipse-che/che-dashboard.git';
-      const store = new MockStoreBuilder()
-        .withBranding({
-          docs: {
-            storageTypes: 'storage-types-docs',
-          },
-        } as BrandingData)
-        .withDwServerConfig({
-          defaults: {
-            pvcStrategy: preferredPvcStrategy,
-          } as api.IServerConfig['defaults'],
-        })
-        .withDevfileRegistries({
-          registries: {
-            ['registry-url']: {
-              metadata: [
-                {
-                  displayName: 'Test Sample SSH',
-                  description: 'Test sample with SSH URL',
-                  tags: ['Test'],
-                  icon: '/images/test.svg',
-                  links: {
-                    v2: sshUrl,
-                  },
-                },
-              ],
-            },
-          },
-        })
-        .build();
-
-      renderComponent(store, editorDefinition, editorImage);
-
-      const sampleCardButton = screen.getByRole('button', { name: 'Select Sample' });
-      await userEvent.click(sampleCardButton);
-
-      expect(mockWindowOpen).toHaveBeenCalledWith(
-        `${origin}/dashboard/#/load-factory?url=git%40github.com%3Aeclipse-che%2Fche-dashboard.git&che-editor=che-incubator%2Fche-code%2Finsiders&editor-image=custom-editor-image&storageType=${preferredPvcStrategy}`,
-        '_blank',
-      );
-    });
-
-    test('should handle SSH URL with revision parameter', async () => {
-      const sshUrl = 'git@github.com:eclipse-che/che-dashboard.git?revision=test';
-      const store = new MockStoreBuilder()
-        .withBranding({
-          docs: {
-            storageTypes: 'storage-types-docs',
-          },
-        } as BrandingData)
-        .withDwServerConfig({
-          defaults: {
-            pvcStrategy: preferredPvcStrategy,
-          } as api.IServerConfig['defaults'],
-        })
-        .withDevfileRegistries({
-          registries: {
-            ['registry-url']: {
-              metadata: [
-                {
-                  displayName: 'Test Sample SSH with Branch',
-                  description: 'Test sample with SSH URL and revision',
-                  tags: ['Test'],
-                  icon: '/images/test.svg',
-                  links: {
-                    v2: sshUrl,
-                  },
-                },
-              ],
-            },
-          },
-        })
-        .build();
-
-      renderComponent(store, editorDefinition, editorImage);
-
-      const sampleCardButton = screen.getByRole('button', { name: 'Select Sample' });
-      await userEvent.click(sampleCardButton);
-
-      expect(mockWindowOpen).toHaveBeenCalledWith(
-        `${origin}/dashboard/#/load-factory?url=git%40github.com%3Aeclipse-che%2Fche-dashboard.git%3Frevision%3Dtest&che-editor=che-incubator%2Fche-code%2Finsiders&editor-image=custom-editor-image&storageType=${preferredPvcStrategy}`,
-        '_blank',
-      );
-    });
-  });
 });
 
 function getComponent(

packages/dashboard-frontend/src/pages/GetStarted/SamplesList/index.tsx

@@ -25,7 +25,6 @@ import { connect, ConnectedProps } from 'react-redux';
 import SamplesListGallery from '@/pages/GetStarted/SamplesList/Gallery';
 import SamplesListToolbar from '@/pages/GetStarted/SamplesList/Toolbar';
 import { ROUTE } from '@/Routes';
-import { FactoryLocationAdapter } from '@/services/factory-location-adapter';
 import {
   DEV_WORKSPACE_ATTR,
   EDITOR_ATTR,
@@ -98,20 +97,9 @@ class SamplesList extends React.PureComponent<Props, State> {
 
   private async handleSampleCardClick(metadata: DevfileRegistryMetadata): Promise<void> {
     const { editorDefinition, editorImage } = this.props;
-
-    // Handle SSH URLs (git@...) and HTTP(S) URLs differently
-    let factoryUrl: string;
-    if (FactoryLocationAdapter.isSshLocation(metadata.links.v2)) {
-      // SSH URLs should be used as-is
-      factoryUrl = metadata.links.v2;
-    } else {
-      // HTTP(S) URLs need to be parsed and encoded properly
-      const url = new URL(metadata.links.v2);
-      factoryUrl = `${url.origin}${url.pathname}${encodeURIComponent(url.search)}`;
-    }
-
+    const url = new URL(metadata.links.v2);
     const factoryParams: { [key: string]: string } = {
-      [FACTORY_URL_ATTR]: factoryUrl,
+      [FACTORY_URL_ATTR]: `${url.origin}${url.pathname}${encodeURIComponent(url.search)}`,
     };
 
     const _editorDefinition = editorDefinition || this.props.defaultEditorId;

packages/dashboard-frontend/src/services/backend-client/__tests__/factoryApi.spec.ts

@@ -65,13 +65,15 @@ describe('Factory API', () => {
           {},
         );
 
+        // URL params are decoded during processing, version param stays in URL (but also extracted)
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
-          url: 'https://test.azure.com/_git/public-repo?version=GBtest/branch',
+          url: 'https://test.azure.com/_git/public-repo?version=GBtest%2Fbranch',
+          version: 'GBtest/branch',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should preserve revision parameter in HTTP URL and not extract to overrideParams', async () => {
+      it('should extract revision factory parameter from HTTP URL to overrideParams', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -81,14 +83,16 @@ describe('Factory API', () => {
           {},
         );
 
-        // For HTTP URLs, revision stays in URL and is NOT added to overrideParams
+        // For HTTP URLs, factory params (including revision) are extracted to overrideParams
+        // This ensures clean URLs are sent to backend for proper branch detection
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
-          url: 'https://github.com/eclipse-che/che-dashboard.git?revision=my-branch',
+          url: 'https://github.com/eclipse-che/che-dashboard.git',
+          revision: 'my-branch',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should preserve all parameters in HTTP URL', async () => {
+      it('should extract factory params and preserve non-factory params in HTTP URL', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -98,16 +102,20 @@ describe('Factory API', () => {
           { existingParam: 'value' },
         );
 
+        // Factory param (revision) extracted to overrideParams
+        // Non-factory params (sparse, df) stay in URL
+        // Existing overrideParams preserved and merged
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
-          url: 'https://github.com/user/repo.git?revision=main&sparse=1&df=devfile.yaml',
+          url: 'https://github.com/user/repo.git?sparse=1&df=devfile.yaml',
           existingParam: 'value',
+          revision: 'main',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
     });
 
     describe('SSH locations', () => {
-      it('should extract revision from SSH URL with only revision parameter (user example)', async () => {
+      it('should extract revision from SSH URL to overrideParams', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -118,15 +126,15 @@ describe('Factory API', () => {
           {},
         );
 
-        // For SSH: ALL params extracted to overrideParams, URL is only the path
+        // For SSH: ALL params extracted to overrideParams, URL is clean
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:svor/python-hello-world.git',
           revision: 'my-branch',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should extract all parameters from SSH URL to overrideParams', async () => {
+      it('should extract all params from SSH URL to overrideParams', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -136,7 +144,7 @@ describe('Factory API', () => {
           {},
         );
 
-        // For SSH: ALL parameters go to overrideParams, URL has no query string
+        // For SSH: ALL params (factory and non-factory) extracted to overrideParams
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:svor/python-hello-world.git',
           revision: 'my-branch',
@@ -146,7 +154,7 @@ describe('Factory API', () => {
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should extract parameters and merge with existing overrideParams', async () => {
+      it('should merge extracted params with existing overrideParams', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -156,6 +164,7 @@ describe('Factory API', () => {
           { someParam: 'value', anotherParam: 'test' },
         );
 
+        // Existing overrideParams preserved, URL params extracted and merged
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:svor/python-hello-world.git',
           someParam: 'value',
@@ -179,21 +188,22 @@ describe('Factory API', () => {
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should decode URL-encoded parameters correctly', async () => {
+      it('should extract and decode URL parameters from SSH URL', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
 
         await getFactoryResolver('git@github.com:user/repo.git?revision=feature%2Fmy-branch', {});
 
+        // revision extracted to overrideParams and decoded
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:user/repo.git',
           revision: 'feature/my-branch',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should override existing params with URL params', async () => {
+      it('should merge URL params with existing overrideParams', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -204,17 +214,17 @@ describe('Factory API', () => {
           keepThis: 'value',
         });
 
-        // URL params should override existing overrideParams
+        // URL params override existing overrideParams with same key
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:user/repo.git',
-          revision: 'from-url',
-          sparse: '2',
-          keepThis: 'value',
+          revision: 'from-url', // Overridden by URL param
+          sparse: '2', // Overridden by URL param
+          keepThis: 'value', // Preserved from initial overrideParams
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should handle complex SSH URL with multiple parameters', async () => {
+      it('should extract all parameters from complex SSH URL', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
@@ -224,7 +234,7 @@ describe('Factory API', () => {
           {},
         );
 
-        // All parameters extracted, URL is clean path only
+        // ALL params extracted to overrideParams
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@gitlab.com:team/project.git',
           revision: 'develop',
@@ -235,17 +245,21 @@ describe('Factory API', () => {
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });
 
-      it('should handle SSH URL with only non-revision parameters', async () => {
+      it('should extract override.* parameters from SSH URL', async () => {
         mockPost.mockResolvedValueOnce({
           data: factoryResolver,
         });
 
-        await getFactoryResolver('git@github.com:user/repo.git?sparse=1&df=devfile.yaml', {});
+        await getFactoryResolver(
+          'git@github.com:user/repo.git?revision=main&override.devfileFilename=custom.yaml',
+          {},
+        );
 
+        // ALL params including override.* extracted
         expect(mockPost).toHaveBeenCalledWith('/api/factory/resolver', {
           url: 'git@github.com:user/repo.git',
-          sparse: '1',
-          df: 'devfile.yaml',
+          revision: 'main',
+          'override.devfileFilename': 'custom.yaml',
         });
         expect(mockFetchParentDevfile).toHaveBeenCalled();
       });

packages/dashboard-frontend/src/services/backend-client/factoryApi.ts

@@ -14,7 +14,7 @@ import axios from 'axios';
 
 import { cheServerPrefix } from '@/services/backend-client/const';
 import { getParentDevfile } from '@/services/backend-client/parentDevfileApi';
-import { FactoryLocationAdapter } from '@/services/factory-location-adapter';
+import { sanitizeUrlForFactoryResolver } from '@/services/helpers/factoryFlow/sanitizeUrlForFactoryResolver';
 import { FactoryResolver } from '@/services/helpers/types';
 
 export async function getFactoryResolver(
@@ -24,24 +24,18 @@ export async function getFactoryResolver(
   if (url.indexOf(' ') !== -1) {
     url = encodeURI(url);
   }
-  // In the case of the Azure repository, the search parameters are encoded twice and need to be decoded.
-  if (url.indexOf('?') !== -1) {
-    const [path, search] = url.split('?');
-    if (FactoryLocationAdapter.isHttpLocation(url)) {
-      url = `${path}?${decodeURIComponent(search)}`;
-    } else {
-      // For SSH locations: extract ALL parameters to overrideParams and use only the path
-      const searchParams = new URLSearchParams(decodeURIComponent(search));
-      searchParams.forEach((value, key) => {
-        overrideParams = { ...overrideParams, [key]: value };
-      });
-      // SSH URLs should not have query parameters - use only the path
-      url = path;
-    }
-  }
+
+  // Sanitize URL by extracting factory-specific and override query parameters
+  // This ensures the backend receives a clean URL for proper branch detection,
+  // while still passing all necessary factory configurations via overrideParams.
+  const { sanitizedUrl, extractedOverrideParams } = sanitizeUrlForFactoryResolver(
+    url,
+    overrideParams,
+  );
+
   const response = await axios.post(
     `${cheServerPrefix}/factory/resolver`,
-    Object.assign({}, overrideParams, { url }),
+    Object.assign({}, extractedOverrideParams, { url: sanitizedUrl }),
   );
 
   const factoryResolver: FactoryResolver = response.data;