"Open from URL" as URL Parameter

Is it possible to use the “Open from URL” Feature as an URL Parameter? For instance Project Jupyter | Home git repository!

I would like to use JupyterLab in some of our Moodle Learning Courses. An a “dream” feature ist that I can link to jpynb file, that is hosted in github (or anywhere else).

best regards

jt

It sounds like you may be describing nbgitpuller? It’s limited to git repositories because of the way it retrieves and tries to merge smartly.

Myself, I’ve only used it to provide links to open MyBinder sessions with a certain environment and specifically retrieve & open a notebook in a different repo or even in a gist. However, if you are able to provide links to your institutional JupyterHub in Moodle, it should work for that, too. You’d need to put nbgitpuller in your student’s environment.


Example nbgitpuller URL:

https://mybinder.org/v2/gh/fomightez/cl_sq_demo-binder/master?urlpath=git-pull%3Frepo%3Dhttps%253A%252F%252Fgist.github.com%252Ffomightez%252Fb534ce8e6693e50d9099cbf59dd45632%26urlpath%3Dtree%252Fb534ce8e6693e50d9099cbf59dd45632%252Fnarrow_to_ranges_nb.ipynb

Breakdown of that URL:
The part in front of the question mark, https://mybinder.org/v2/gh/fomightez/cl_sq_demo-binder/master specifies the hub to use with the environment specified by my Github repo cl_sq_demo-binder. That repo has a configuration file that details the environment that MyBinder sessions launched from there will have; it also has some notebooks; however, not the one I hope to use nbgitpuller to retrieve and open in the MyBinder served session, which is just a fancy JupyterHub. After the question mark is git-pull%3Frepo that tells it to use nbgitpuller to pull from a repo. The repo to pull from follow, in this example it is actually one of my gists. The urlpath%3Dtree part specifies to open the notebook I point at in the classic notebook mode. That notebook, narrow_to_ranges_nb.ipynb, is specified in the last part of the URL.

Because these can be complex to build given the length and many pieces, the nbgitpuller includes a tool to help construct the links.

1 Like

I think @jtut might be refering to JupyterLab’s built in Open from URL:

I wasn’t aware of it until just now, and I agree it would be great if a notebook could be passed in as a query argument, either with an extension or as a core feature.

1 Like

I don’t think a “zero click”, URL-based arbitrary file fetcher is going to land in core any time soon, for much the same reason as pre-running code by URL parameter, or automatically running cells.

I think these things will not land in core lab, as they are some of the last few protections against arbitrary code execution: if removed, it’s just so much easier to achieve an abuse of every “as shipped” system, just by clicking a link.

Once a user/sysadmin/major cloud provider (ahem) knowingly installs something that circumvents some of the last lines of defense against running arbitrary code, then that system belongs to you, warts and all… and core can’t prevent such a thing from working, or somehow make it “safe.”

2 Likes

Good point! Definitely best left for an extension then.

If someone wants to have a go at writing one this is the code for the existing menu item:

1 Like

Hello and many thanks to the answers to my posting! I understand the security aspect, but what is the difference between loading python code from the (clients) file system and loading python code from an external web server?

It is always a problem to be as secure as possible and make it students as easy to use a service :wink: !

best regards

jtut

Running arbitrary code is like installing random packages off the internet without pausing to think about it. If that happens by clicking on a single carefully/maliciously-crafted link, that’s kind of a problem.

On your computer, (whether on your own physical hardware, or in the cloud) you are free to do whatever you want. You can install any software, and any dependencies of that software. Some of that software might be bad: see the recent news about politically-motivated malware! But also, reputable package managers will usually pull stuff that is known to be malware.

Once it’s all working if you want to go to the URL…

http://localhost:8888/lab?url=https://a-malicious.site/malware.ipynb&autorun=1

…then you are totally free to do that, provided you can find an extension that will help you do it. You are also then free to rebuild your computer after that malware steals all your passwords, starts mining cryptocurrencies, or worse.

On e.g. binderhub, one gets a link, gets a brand new computer in the cloud, inside a container, and that container is thrown away after being idle for 10 minutes. If you want to try out that malware link, go for it! Worst thing that happens is you get shut off due to abuse protection, because that’s a thing the container orchestrator knows how to do.

The waste a dedicated container entails is usually a good trade-off vs having to rebuild a hand-crafted server when a single bad actor uses it: any site on the internet will be visited by bad actors within hours of going online, and the only way to really fix a machine after it’s been exploited is a factory reset.