Enhances custom avatar functionality with approval system for URL templates

(#5155)

Author: sergeibbb

packages/git/src/remotes/custom.ts

@@ -35,6 +35,10 @@ export class CustomRemoteProvider extends RemoteProvider {
 		return [];
 	}
 
+	get avatarUrlTemplate(): string | undefined {
+		return this.urls.avatar;
+	}
+
 	getUrlForAvatar(email: string, size: number): string | undefined {
 		if (this.urls.avatar == null) return undefined;
 

src/avatars.ts

@@ -1,4 +1,5 @@
-import { EventEmitter, Uri } from 'vscode';
+import type { MessageItem } from 'vscode';
+import { EventEmitter, Uri, window, workspace } from 'vscode';
 import type { CommitAuthor } from '@gitlens/git/models/author.js';
 import { CustomRemoteProvider } from '@gitlens/git/remotes/custom.js';
 import { getGitHubNoReplyAddressParts } from '@gitlens/git/remotes/github.js';
@@ -247,18 +248,19 @@ async function getAvatarUriFromRemoteProvider(
 				});
 			}
 
-			if (!account) {
+			if (!account?.avatarUrl) {
 				const remoteWithProvider = await Container.instance.git
 					.getRepositoryService(repoPathOrCommit.repoPath)
 					.remotes.getBestRemoteWithProvider();
 
 				if (remoteWithProvider?.provider instanceof CustomRemoteProvider) {
-					const avatarUrl = remoteWithProvider.provider.getUrlForAvatar(email, size);
+					const avatarUrl = getApprovedCustomRemoteAvatarUrl(remoteWithProvider.provider, email, size);
 					if (avatarUrl != null) {
 						avatar.uri = Uri.parse(avatarUrl);
 						avatar.timestamp = Date.now();
 						avatar.retries = 0;
 						avatarCache.set(`${md5(email.trim().toLowerCase())}:${size}`, { ...avatar });
+						_onDidFetchAvatar.fire({ email: email });
 						return avatar.uri;
 					}
 				}
@@ -316,6 +318,76 @@ export function getPresenceDataUri(status: ContactPresenceStatus): string {
 	return dataUri;
 }
 
+const promptedAvatarTemplates = new Set<string>();
+
+function getApprovedCustomRemoteAvatarUrl(
+	provider: CustomRemoteProvider,
+	email: string,
+	size: number,
+): string | undefined {
+	// Avatar templates from `gitlens.remotes` may originate from workspace settings
+	// — only honor them in a trusted workspace
+	if (!workspace.isTrusted) return undefined;
+
+	const template = provider.avatarUrlTemplate;
+	if (template == null) return undefined;
+
+	const approval = getAvatarTemplateApproval(template);
+	if (approval === 'allow') {
+		return provider.getUrlForAvatar(email, size);
+	}
+	if (approval === 'deny') {
+		return undefined;
+	}
+
+	// Unknown template — prompt the user (non-blocking) and fall through to fallback avatar
+	void promptForAvatarTemplateApproval(template);
+	return undefined;
+}
+
+function getAvatarTemplateApproval(template: string): 'allow' | 'deny' | undefined {
+	const approvals = Container.instance.storage.get('avatars:approvedRemoteTemplates');
+	if (approvals == null) return undefined;
+	return Object.hasOwn(approvals, template) ? approvals[template] : undefined;
+}
+
+async function setAvatarTemplateApproval(template: string, decision: 'allow' | 'deny'): Promise<void> {
+	const approvals: Record<string, 'allow' | 'deny'> = Object.create(null);
+	Object.assign(approvals, Container.instance.storage.get('avatars:approvedRemoteTemplates'));
+	approvals[template] = decision;
+	await Container.instance.storage.store('avatars:approvedRemoteTemplates', approvals);
+}
+
+async function promptForAvatarTemplateApproval(template: string): Promise<void> {
+	if (promptedAvatarTemplates.has(template)) return;
+
+	promptedAvatarTemplates.add(template);
+
+	const allow: MessageItem = { title: 'Allow' };
+	const deny: MessageItem = { title: 'Deny' };
+	const notNow: MessageItem = { title: 'Not Now', isCloseAffordance: true };
+
+	const result = await window.showInformationMessage(
+		`The \`gitlens.remotes\` setting in this workspace includes an avatar URL template that will be requested for every commit author.\n\nTemplate: ${template}\n\nDo you trust this workspace to make these requests?`,
+		allow,
+		deny,
+		notNow,
+	);
+
+	if (result === allow) {
+		await setAvatarTemplateApproval(template, 'allow');
+		resetAvatarCache('failed');
+	} else if (result === deny) {
+		await setAvatarTemplateApproval(template, 'deny');
+	}
+}
+
+export function resetApprovedAvatarTemplates(): Promise<void> {
+	promptedAvatarTemplates.clear();
+	resetAvatarCache('failed');
+	return Container.instance.storage.delete('avatars:approvedRemoteTemplates');
+}
+
 export function resetAvatarCache(reset: 'all' | 'failed' | 'fallback'): void {
 	switch (reset) {
 		case 'all':

src/commands/resets.ts

@@ -1,6 +1,6 @@
 import type { MessageItem } from 'vscode';
 import { ConfigurationTarget, window } from 'vscode';
-import { resetAvatarCache } from '../avatars.js';
+import { resetApprovedAvatarTemplates, resetAvatarCache } from '../avatars.js';
 import type { Container } from '../container.js';
 import type { QuickPickItemOfT } from '../quickpicks/items/common.js';
 import { createQuickPickSeparator } from '../quickpicks/items/common.js';
@@ -12,6 +12,7 @@ const resetTypes = [
 	'ai',
 	'ai:confirmations',
 	'avatars',
+	'avatars:approvedTemplates',
 	'integrations',
 	'onboarding',
 	'previews',
@@ -47,6 +48,11 @@ export class ResetCommand extends GlCommandBase {
 				detail: 'Clears the stored avatar cache',
 				item: 'avatars',
 			},
+			{
+				label: 'Approved Avatar URL Templates...',
+				detail: 'Clears approvals granted to custom remote avatar URL templates',
+				item: 'avatars:approvedTemplates',
+			},
 			{
 				label: 'Integrations (Authentication)...',
 				detail: 'Clears any locally stored authentication for integrations',
@@ -131,6 +137,11 @@ export class ResetCommand extends GlCommandBase {
 				confirmationMessage = 'Are you sure you want to reset the avatar cache?';
 				confirm.title = 'Reset Avatars';
 				break;
+			case 'avatars:approvedTemplates':
+				confirmationMessage =
+					'Are you sure you want to reset all approvals for custom remote avatar URL templates?';
+				confirm.title = 'Reset Approved Avatar URL Templates';
+				break;
 			case 'integrations':
 				confirmationMessage = 'Are you sure you want to reset all of the stored integrations?';
 				confirm.title = 'Reset Integrations';
@@ -205,6 +216,10 @@ export class ResetCommand extends GlCommandBase {
 				resetAvatarCache('all');
 				break;
 
+			case 'avatars:approvedTemplates':
+				await resetApprovedAvatarTemplates();
+				break;
+
 			case 'integrations':
 				await this.container.integrations.reset();
 				break;

src/constants.storage.ts

@@ -34,6 +34,7 @@ export type IntegrationAuthenticationKeys =
 export const enum SyncedStorageKeys {
 	Version = 'gitlens:synced:version',
 	PreReleaseVersion = 'gitlens:synced:preVersion',
+	ApprovedAvatarRemoteTemplates = 'gitlens:avatars:approvedRemoteTemplates',
 }
 
 export type DeprecatedGlobalStorage = {
@@ -87,6 +88,7 @@ interface GlobalStorageCore {
 	avatars: [string, StoredAvatar][];
 	'ai:scope:compose:model': AIProviderAndModel;
 	'ai:scope:review:model': AIProviderAndModel;
+	'avatars:approvedRemoteTemplates': Record<string, 'allow' | 'deny'>;
 	'confirm:ai:generateCommits': boolean;
 	'confirm:ai:tos': boolean;
 	repoVisibility: [string, StoredRepoVisibilityInfo][];

src/extension.ts

@@ -311,7 +311,12 @@ export function deactivate(): void {
 // }
 
 function setKeysForSync(context: ExtensionContext, ...keys: (SyncedStorageKeys | string)[]) {
-	context.globalState?.setKeysForSync([...keys, SyncedStorageKeys.Version, SyncedStorageKeys.PreReleaseVersion]);
+	context.globalState?.setKeysForSync([
+		...keys,
+		SyncedStorageKeys.ApprovedAvatarRemoteTemplates,
+		SyncedStorageKeys.Version,
+		SyncedStorageKeys.PreReleaseVersion,
+	]);
 }
 
 function registerBuiltInActionRunners(container: Container): void {