getsentry · nsdeschenes · May 21, 2026 · May 20, 2026 · May 20, 2026 · May 20, 2026
diff --git a/static/app/components/events/breadcrumbs/breadcrumbItemContent.tsx b/static/app/components/events/breadcrumbs/breadcrumbItemContent.tsx
@@ -15,7 +15,7 @@ import {
 } from 'sentry/types/breadcrumbs';
 import {defined} from 'sentry/utils';
 import {ellipsize} from 'sentry/utils/string/ellipsize';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {usePrismTokens} from 'sentry/utils/usePrismTokens';
 
 const DEFAULT_STRUCTURED_DATA_PROPS = {
@@ -133,13 +133,13 @@ function HTTPCrumbContent({
     status_code: statusCode,
     ...otherData
   } = cleanBreadcrumbData(breadcrumb?.data) ?? {};
-  const isValidUrl = !meta && defined(url) && isUrl(url);
+  const showUrlAsLink = !meta && defined(url) && isValidUrl(url);
   return (
     <Fragment>
       {children}
       <BreadcrumbText>
         {defined(method) && `${method}: `}
-        {isValidUrl ? (
+        {showUrlAsLink ? (
           <Link
             role="link"
             onClick={() => openNavigateToExternalLinkModal({linkText: url})}

@@ -21,7 +21,7 @@ import type {DetailedProject} from 'sentry/types/project';
 import {escapeIssueTagKey, generateQueryWithTag} from 'sentry/utils';
 import {isEmptyObject} from 'sentry/utils/object/isEmptyObject';
 import {useUpdateProject} from 'sentry/utils/project/useUpdateProject';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {useCopyToClipboard} from 'sentry/utils/useCopyToClipboard';
 import {useLocation} from 'sentry/utils/useLocation';
 import {useOrganization} from 'sentry/utils/useOrganization';
@@ -303,7 +303,7 @@ function EventTagsTreeRowDropdown({
     {
       key: 'external-link',
       label: t('Visit this external link'),
-      hidden: !isUrl(content.value),
+      hidden: !isValidUrl(content.value),
       onAction: () => {
         openNavigateToExternalLinkModal({linkText: content.value});
       },
@@ -418,7 +418,7 @@ function EventTagsTreeValue({
       tagValue = defaultValue;
   }
 
-  return isUrl(content.value) ? (
+  return isValidUrl(content.value) ? (
     <TagLinkText>
       <ExternalLink
         onClick={e => {

@@ -12,7 +12,7 @@ import {Pills} from 'sentry/components/pills';
 import {IconOpen} from 'sentry/icons';
 import {t} from 'sentry/locale';
 import type {StackTraceMechanism} from 'sentry/types/stacktrace';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 
 type Props = {
   data: StackTraceMechanism;
@@ -24,7 +24,7 @@ export function Mechanism({data: mechanism, meta: mechanismMeta}: Props) {
 
   const {errno, signal, mach_exception} = meta;
 
-  const linkElement = help_link && isUrl(help_link) && (
+  const linkElement = help_link && isValidUrl(help_link) && (
     <StyledExternalLink href={help_link}>
       <IconOpen size="xs" />
     </StyledExternalLink>

@@ -6,7 +6,7 @@ import {ExternalLink} from '@sentry/scraps/link';
 
 import {openNavigateToExternalLinkModal} from 'sentry/actionCreators/modal';
 import {IconOpen} from 'sentry/icons';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 
 interface RenderLinksInTextProps {
   exceptionText: string;
@@ -38,10 +38,10 @@ export const renderLinksInText = ({
 
   const elements = parts.flatMap((part, index) => {
     const url = urls[index]!;
-    const isUrlValid = isUrl(url);
+    const linkIsValid = isValidUrl(url);
 
     let link: ReactElement | undefined;
-    if (isUrlValid) {
+    if (linkIsValid) {
       link = (
         <ExternalLink
           key={`link-${index}`}

@@ -22,7 +22,7 @@ import type {Frame} from 'sentry/types/event';
 import type {Meta} from 'sentry/types/group';
 import type {PlatformKey} from 'sentry/types/project';
 import {defined} from 'sentry/utils';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 
 /**
  * File paths can get very long, so increase it for the tooltips within this component.
@@ -60,7 +60,7 @@ export function DefaultTitle({
 
   const handleExternalLink = (event: React.MouseEvent<HTMLAnchorElement>) => {
     event.stopPropagation();
-    if (isPotentiallyThirdParty && frame.absPath && isUrl(frame.absPath)) {
+    if (isPotentiallyThirdParty && frame.absPath && isValidUrl(frame.absPath)) {
       event.preventDefault();
       openNavigateToExternalLinkModal({linkText: frame.absPath});
     }
@@ -164,7 +164,7 @@ export function DefaultTitle({
       );
     }
 
-    if (frame.absPath && isUrl(frame.absPath)) {
+    if (frame.absPath && isValidUrl(frame.absPath)) {
       title.push(
         <StyledExternalLink href={frame.absPath} key="share" onClick={handleExternalLink}>
           <IconOpen size="xs" />

@@ -5,7 +5,7 @@ import type {PlatformKey} from 'sentry/types/project';
 import type {StacktraceType} from 'sentry/types/stacktrace';
 import {defined} from 'sentry/utils';
 import {isEmptyObject} from 'sentry/utils/object/isEmptyObject';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {safeURL} from 'sentry/utils/url/safeURL';
 
 export function trimPackage(pkg: string) {
@@ -182,7 +182,7 @@ export function isPotentiallyThirdPartyFrame(frame: Frame, event: Event): boolea
 
   const eventOrigin = extractEventOrigin(event);
 
-  if (!frame.absPath || !isUrl(eventOrigin) || !isUrl(frame.absPath)) {
+  if (!frame.absPath || !isValidUrl(eventOrigin) || !isValidUrl(frame.absPath)) {
     return false;
   }
 

@@ -23,7 +23,7 @@ import {t, tct} from 'sentry/locale';
 import type {EntryRequest, Event} from 'sentry/types/event';
 import {EntryType} from 'sentry/types/event';
 import {defined} from 'sentry/utils';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {SectionKey} from 'sentry/views/issueDetails/streamline/context';
 import {FoldSection} from 'sentry/views/issueDetails/streamline/foldSection';
 
@@ -133,7 +133,7 @@ export function Request({data, event}: RequestProps) {
 
   let fullUrl = getFullUrl(data);
 
-  if (!isUrl(fullUrl)) {
+  if (!isValidUrl(fullUrl)) {
     // Check if the url passed in is a safe url to avoid XSS
     fullUrl = undefined;
   }

@@ -16,7 +16,7 @@ import {t} from 'sentry/locale';
 import type {Event, Frame} from 'sentry/types/event';
 import type {PlatformKey} from 'sentry/types/project';
 import {defined} from 'sentry/utils';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 
 function getFrameDisplayPath(frame: Frame, platform: PlatformKey, event: Event) {
   const framePlatform = getPlatform(frame.platform, platform);
@@ -197,7 +197,8 @@ function FrameLocationTooltip({
   frame: Frame;
   frameDisplayPath: string;
 }) {
-  const externalUrl = frame.absPath && isUrl(frame.absPath) ? frame.absPath : undefined;
+  const externalUrl =
+    frame.absPath && isValidUrl(frame.absPath) ? frame.absPath : undefined;
   const absPath =
     frame.absPath && frame.absPath !== frameDisplayPath && !externalUrl
       ? frame.absPath

diff --git a/static/app/components/structuredEventData/linkHint.tsx b/static/app/components/structuredEventData/linkHint.tsx
@@ -6,15 +6,15 @@ import {openNavigateToExternalLinkModal} from 'sentry/actionCreators/modal';
 import {IconOpen} from 'sentry/icons';
 import {t} from 'sentry/locale';
 import {defined} from 'sentry/utils';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 
 interface Props {
   value: string;
   meta?: Record<any, any>;
 }
 
 export function LinkHint({meta, value}: Props) {
-  if (!isUrl(value) || defined(meta)) {
+  if (!isValidUrl(value) || defined(meta)) {
     return null;
   }
 

@@ -57,7 +57,7 @@ import {toPercent} from 'sentry/utils/number/toPercent';
 import {generateProfileFlamechartRouteWithQuery} from 'sentry/utils/profiling/routes';
 import {Projects} from 'sentry/utils/projects';
 import {decodeScalar} from 'sentry/utils/queryString';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {type DashboardFilters, type Widget} from 'sentry/views/dashboards/types';
 import {
   findLinkedDashboardForField,
@@ -360,7 +360,7 @@ export const FIELD_FORMATTERS: FieldFormatters = {
           ? data[field]
           : emptyValue;
 
-      if (isUrl(value)) {
+      if (isValidUrl(value)) {
         return (
           <Tooltip title={value} containerDisplayMode="block" showOnlyOnOverflow>
             <Container>
@@ -586,7 +586,7 @@ const SPECIAL_FIELDS: Record<string, SpecialField> = {
           maxWidth={400}
         >
           <Container>
-            {isUrl(value) ? (
+            {isValidUrl(value) ? (
               <ExternalLink href={value}>{value}</ExternalLink>
             ) : (
               nullableValue(value)

@@ -0,0 +1,27 @@
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
+
+describe('isValidUrl', () => {
+  it.each([
+    'https://example.com/path',
+    'http://localhost:8080/api',
+    'http://my-service/api',
+    'http://127.0.0.1/path',
+    'http://[::1]/path',
+  ])('returns true for navigable URL %s', url => {
+    expect(isValidUrl(url)).toBe(true);
+  });
+
+  it.each([
+    'not-a-url',
+    'ftp://example.com/path',
+    'http://*/v1/api/auth/register',
+    'http://{host}/v1/api/auth/register',
+  ])('returns false for non-navigable URL %s', url => {
+    expect(isValidUrl(url)).toBe(false);
+  });
+
+  it('returns false for javascript URLs', () => {
+    // eslint-disable-next-line no-script-url
+    expect(isValidUrl('javascript:void(0)')).toBe(false);
+  });
+});
@@ -1,12 +1,17 @@
 import {isUrl} from 'sentry/utils/string/isUrl';
 
+// URL.parse accepts hostnames like `*` or `{host}` that are not real navigable hosts.
+// Reject wildcard/template characters so we render these as plain text instead of links.
+const INVALID_HOSTNAME_CHARS = /[*{}]/;
+
 export function isValidUrl(str: any): boolean {
   // javascript:void(0) is a valid url so ensure it starts with http:// or https://
   if (!isUrl(str)) {
     return false;
   }
   try {
-    return !!new URL(str);
+    const {hostname} = new URL(str);
+    return !!hostname && !INVALID_HOSTNAME_CHARS.test(hostname);
   } catch {
     return false;
   }

@@ -180,6 +180,36 @@
       );
     });
 
+    it('does not offer link actions for wildcard URLs', async () => {
+      const urlView = EventView.fromLocation(
+        LocationFixture({
+          query: {
+            ...location.query,
+            field: ['url'],
+          },
+        })
+      );
+
+      render(
+        <CellAction
+          dataRow={{url: 'http://*/v1/api/auth/register'}}
+          column={urlView.getColumns()[0]!}
+          handleCellAction={handleCellAction}
+        >
+          <strong>http://*/v1/api/auth/register</strong>
+        </CellAction>
+      );
+
+      await openMenu();
+
+      expect(
+        screen.queryByRole('menuitemradio', {name: 'Open external link'})
+      ).not.toBeInTheDocument();
+      expect(
+        screen.queryByRole('menuitemradio', {name: 'Open link'})
+      ).not.toBeInTheDocument();
+    });
+
     it('error.handled with null adds condition', async () => {
       renderComponent({
         eventView: view,

@@ -18,7 +18,7 @@ import {
 } from 'sentry/utils/discover/fields';
 import {getDuration} from 'sentry/utils/duration/getDuration';
 import {FieldKey} from 'sentry/utils/fields';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import type {MutableSearch} from 'sentry/utils/tokenizeSearch';
 import {stripURLOrigin} from 'sentry/utils/url/stripURLOrigin';
 
@@ -301,7 +301,7 @@ function makeCellActions({
     );
   }
 
-  if (isUrl(value)) {
+  if (isValidUrl(value)) {
     addMenuItem(Actions.OPEN_EXTERNAL_LINK, t('Open external link'));
   }
 

@@ -11,7 +11,7 @@ import {defined} from 'sentry/utils';
 import type {EventsMetaType} from 'sentry/utils/discover/eventView';
 import {type RenderFunctionBaggage} from 'sentry/utils/discover/fieldRenderers';
 import {isEmptyObject} from 'sentry/utils/object/isEmptyObject';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {useCopyToClipboard} from 'sentry/utils/useCopyToClipboard';
 import {prettifyAttributeName} from 'sentry/views/explore/components/traceItemAttributes/utils';
 import type {TraceItemResponseAttribute} from 'sentry/views/explore/hooks/useTraceItemDetails';
@@ -418,7 +418,7 @@ function AttributesTreeRowDropdown({
   ];
 
   // Add external link option if the value is a URL
-  if (isUrl(String(content.value))) {
+  if (isValidUrl(String(content.value))) {
     items.push({
       key: 'external-link',
       label: t('Visit this external link'),

@@ -5,7 +5,7 @@ import {openNavigateToExternalLinkModal} from 'sentry/actionCreators/modal';
 import {ExternalLink} from 'sentry/components/links/externalLink';
 import {StructuredEventData} from 'sentry/components/structuredEventData';
 import {type RenderFunctionBaggage} from 'sentry/utils/discover/fieldRenderers';
-import {isUrl} from 'sentry/utils/string/isUrl';
+import {isValidUrl} from 'sentry/utils/string/isValidUrl';
 import {AnnotatedAttributeTooltip} from 'sentry/views/explore/components/annotatedAttributeTooltip';
 import {InlineJsonHighlight} from 'sentry/views/explore/components/traceItemAttributes/inlineJsonHighlight';
 import {getAttributeItem} from 'sentry/views/explore/components/traceItemAttributes/utils';
@@ -95,7 +95,7 @@ export function AttributesTreeValue<RendererExtra extends RenderFunctionBaggage>
     );
   }
 
-  if (isUrl(value)) {
+  if (isValidUrl(value)) {
     return (
       <AttributeLinkText>
         <ExternalLink

@@ -302,4 +302,33 @@ describe('FieldRenderer tests', () => {
     );
     expect(screen.getByTestId('platform-icon-javascript')).toBeInTheDocument();
   });
+
+  it('renders wildcard URL span names as plain text without link actions', async () => {
+    const wildcardUrl = 'http://*/v1/api/auth/register';
+    render(
+      <Wrapper>
+        <FieldRenderer
+          column={eventView.getColumns()[6]}
+          data={{
+            ...mockedEventData,
+            'span.name': wildcardUrl,
+          }}
+          meta={{}}
+        />
+      </Wrapper>,
+      {organization}
+    );
+
+    expect(screen.getByText(wildcardUrl)).toBeInTheDocument();
+    expect(screen.queryByRole('link')).not.toBeInTheDocument();
+
+    await userEvent.click(screen.getByRole('button', {name: 'Actions'}));
+
+    expect(
+      screen.queryByRole('menuitemradio', {name: 'Open external link'})
+    ).not.toBeInTheDocument();
+    expect(
+      screen.queryByRole('menuitemradio', {name: 'Open link'})
+    ).not.toBeInTheDocument();
+  });
 });