MINOR - React and Java telemetry

[TeddyCr]

Describe your changes:

Added telemetry for UI and Java

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

---

Summary by Gitar

• Refactored telemetry injection:
  • Optimized IndexResource to pre-process Sentry environment variables into CONFIG_PROCESSED_HTML during static initialization.
  • Implemented escapeJs utility using StringEscapeUtils to sanitize environment variables before injection into the UI template.
• Improved code efficiency:
  • Removed redundant instance-level indexHtml state and legacy initialize method.
  • Streamlined getIndex response generation by centralizing configuration replacement logic.

_{This will update automatically on new commits.}

[Copilot]

Pull request overview

This PR adds server-side placeholder substitution to the UI index.html payload so telemetry-related configuration (e.g., Sentry settings), cluster name, and application version can be injected at render time.

Changes:

• Populate additional index.html placeholders (sentryDsn, sentryEnvironment, sentryTraceSampleRate) from environment variables.
• Populate clusterName from OPENMETADATA_CLUSTER_NAME.
• Populate appVersion from VersionResource’s catalog version.

[gitar-bot]

Code Review ✅ Approved 3 resolved / 3 findings

Integrates React and Java telemetry while resolving Sentry placeholder injection, redundant resource re-evaluation, and unescaped environment variable exposure. No issues found.

✅ 3 resolved

✅ Bug: Sentry placeholders not replaced in getIndex() endpoint path

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java:46-48 📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java:87-96
The new sentry/cluster/version replacements (lines 56-66) are only applied in the static getIndexFile(String basePath) method, which is used by OpenMetadataAssetServlet. However, the getIndex() JAX-RS endpoint (line 87-96) serves this.indexHtml, which is only processed by initialize() (line 46-48). Since initialize() only replaces ${basePath}, the getIndex() endpoint will serve HTML containing literal unreplaced placeholders like ${sentryDsn}, ${sentryEnvironment}, ${sentryTraceSampleRate}, ${clusterName}, and ${appVersion}.

The same replacements need to be applied in initialize() (or indexHtml should be computed using getIndexFile).

✅ Performance: Env vars and VersionResource re-evaluated on every request

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java:53-66
getIndexFile() is called on every HTML-serving request from OpenMetadataAssetServlet. Each call reads 4 environment variables via System.getenv(), instantiates a new VersionResource, and performs 6 string replacements on the full HTML. These values (env vars, app version) are effectively static for the lifetime of the process. The result should be computed once and cached, not recomputed per request.

✅ Security: Env var values injected into HTML without escaping

📄 openmetadata-service/src/main/java/org/openmetadata/service/resources/system/IndexResource.java:56-65
Environment variable values (SENTRY_UI_DSN, SENTRY_ENVIRONMENT, OPENMETADATA_CLUSTER_NAME, etc.) are interpolated directly into the HTML template without HTML/JS escaping. If any env var contains characters like </script> or similar HTML-significant content, it could break the page or introduce an XSS vector. While these values are controlled by server administrators (reducing practical risk), defensive escaping is good practice for any value injected into HTML.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[Copilot]

New logic injects multiple telemetry-related placeholders into the index HTML, but there are no tests asserting that these new placeholders are correctly replaced and safely escaped. Adding a test fixture /assets/index.html that includes the new tokens (or updating the existing test resource) and asserting the output of getIndexFile(...) contains the resolved values would prevent regressions (e.g., placeholders leaking to the client).

[Copilot]

getIndex() always calls getIndexFile("/", cspNonce) which hardcodes the basePath to /. This bypasses the configured base path used elsewhere (e.g., OpenMetadataAssetServlet passes config.getBasePath()), and would break deployments served under a non-root base path if this JAX-RS resource is used. Consider deriving the basePath from configuration (as before) or from the request context, instead of hardcoding /.

[Copilot]

The static HTML preprocessing replaces ${sentryDsn}, ${sentryEnvironment}, ${sentryTraceSampleRate}, ${clusterName}, and ${appVersion}. In the current repo, neither openmetadata-ui/src/main/resources/ui/index.html nor the test /assets/index.html contains these placeholders, so these replacements will be no-ops unless the built /assets/index.html template is also updated during the UI build/packaging. Please ensure the served /assets/index.html actually includes these tokens (or adjust the replacement keys accordingly), otherwise the telemetry config won’t be injected.

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🟡 Playwright Results — all passed (13 flaky)

✅ 3961 passed · ❌ 0 failed · 🟡 13 flaky · ⏭️ 86 skipped

Shard	Passed	Failed	Flaky	Skipped
✅ Shard 1	299	0	0	4
🟡 Shard 2	739	0	5	8
🟡 Shard 3	746	0	2	7
🟡 Shard 4	757	0	2	18
✅ Shard 5	687	0	0	41
🟡 Shard 6	733	0	4	8

🟡 13 flaky test(s) (passed on retry)

• Features/ActivityAPI.spec.ts › Activity event is created when description is updated (shard 2, 1 retry)
• Features/ActivityAPI.spec.ts › Activity event shows the actor who made the change (shard 2, 1 retry)
• Features/ColumnBulkOperations.spec.ts › should navigate through pages (shard 2, 1 retry)
• Features/DataQuality/TestCaseImportExportE2eFlow.spec.ts › Admin: Complete export-import-validate flow (shard 2, 1 retry)
• Features/DataQuality/TestCaseResultPermissions.spec.ts › User with only VIEW cannot PATCH results (shard 2, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Features/Workflows/WorkflowOssRestrictions.spec.ts › delete-node-button absent in node config sidebar (structural edit blocked) (shard 3, 1 retry)
• Pages/DataContracts.spec.ts › Create Data Contract and validate for Table (shard 4, 1 retry)
• Pages/DataContractsSemanticRules.spec.ts › Validate Description Rule Is_Set (shard 4, 1 retry)
• Features/AutoPilot.spec.ts › Create Service and check the AutoPilot status (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
• Pages/UserDetails.spec.ts › Create team with domain and verify visibility of inherited domain in user profile after team removal (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace