Use a forced CSP-compliant interpreter with Vega visualizations (#2352)

* Pass `options` to `vega.parse` to enable inclusion of parsed ASTs * Introduce the forced CSP-compliant interpreter that prevents evaluation of unsafe methods * Modified the consumed `leaflet-vega` package to one that honors `options` Signed-off-by: Miki <miki@amazon.com> Signed-off-by: Miki <miki@amazon.com> (cherry picked from commit bebbcca)
opensearch-project · Sep 15, 2022 · 4d4b31e · 4d4b31e
1 parent fe96b02
commit 4d4b31e
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 8 deletions.
diff --git a/package.json b/package.json
@@ -390,7 +390,7 @@
     "leaflet": "1.5.1",
     "leaflet-draw": "0.4.14",
     "leaflet-responsive-popup": "0.6.4",
-    "leaflet-vega": "^0.8.6",
+    "leaflet-vega": "npm:@amoo-miki/leaflet-vega@0.8.8",
     "leaflet.heat": "0.2.0",
     "less": "^4.1.2",
     "license-checker": "^16.0.0",
@@ -442,6 +442,7 @@
     "typescript": "4.0.2",
     "ui-select": "0.19.8",
     "vega": "^5.17.3",
+    "vega-interpreter": "npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.6",
     "vega-lite": "^4.16.8",
     "vega-schema-url-parser": "^2.1.0",
     "vega-tooltip": "^0.24.2",

diff --git a/src/plugins/vis_type_vega/public/lib/vega.js b/src/plugins/vis_type_vega/public/lib/vega.js
@@ -30,5 +30,6 @@
 
 import * as vegaLite from 'vega-lite/build-es5/vega-lite';
 import * as vega from 'vega/build-es5/vega';
+import { expressionInterpreter as vegaExpressionInterpreter } from 'vega-interpreter/build/vega-interpreter.module';
 
-export { vega, vegaLite };
+export { vega, vegaLite, vegaExpressionInterpreter };
diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
@@ -31,7 +31,7 @@
 import $ from 'jquery';
 import moment from 'moment';
 import dateMath from '@elastic/datemath';
-import { vega, vegaLite } from '../lib/vega';
+import { vega, vegaLite, vegaExpressionInterpreter } from '../lib/vega';
 import { Utils } from '../data_model/utils';
 import { euiPaletteColorBlind } from '@elastic/eui';
 import { i18n } from '@osd/i18n';
@@ -79,6 +79,7 @@ export class VegaBaseView {
     this._timefilter = opts.timefilter;
     this._view = null;
     this._vegaViewConfig = null;
+    this._vegaViewOptions = null;
     this._$messages = null;
     this._destroyHandlers = [];
     this._initialized = false;
@@ -130,6 +131,7 @@ export class VegaBaseView {
       });
 
       this._vegaViewConfig = this.createViewConfig();
+      this._vegaViewOptions = { ast: true };
 
       // The derived class should create this method
       await this._initViewCustomizations();
@@ -185,6 +187,7 @@ export class VegaBaseView {
       // eslint-disable-next-line import/namespace
       logLevel: vega.Warn, // note: eslint has a false positive here
       renderer: this._parser.renderer,
+      expr: vegaExpressionInterpreter,
     };
 
     // Override URL sanitizer to prevent external data loading (if disabled)

diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js
@@ -144,6 +144,7 @@ export class VegaMapView extends VegaBaseView {
         bindingsContainer: this._$controls.get(0),
         delayRepaint: mapConfig.delayRepaint,
         viewConfig: this._vegaViewConfig,
+        viewOptions: this._vegaViewOptions,
         onWarning: this.onWarn.bind(this),
         onError: this.onError.bind(this),
       },

diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_view.js
@@ -36,7 +36,10 @@ export class VegaView extends VegaBaseView {
     // In some cases, Vega may be initialized twice... TBD
     if (!this._$container) return;
 
-    const view = new vega.View(vega.parse(this._parser.spec), this._vegaViewConfig);
+    const view = new vega.View(
+      vega.parse(this._parser.spec, null, this._vegaViewOptions),
+      this._vegaViewConfig
+    );
 
     view.warn = this.onWarn.bind(this);
     view.error = this.onError.bind(this);

diff --git a/yarn.lock b/yarn.lock
@@ -11664,10 +11664,10 @@ leaflet-responsive-popup@0.6.4:
   resolved "https://registry.yarnpkg.com/leaflet-responsive-popup/-/leaflet-responsive-popup-0.6.4.tgz#b93d9368ef9f96d6dc911cf5b96d90e08601c6b3"
   integrity sha512-2D8G9aQA6NHkulDBPN9kqbUCkCpWQQ6dF0xFL11AuEIWIbsL4UC/ZPP5m8GYM0dpU6YTlmyyCh1Tz+cls5Q4dg==
 
-leaflet-vega@^0.8.6:
-  version "0.8.6"
-  resolved "https://registry.yarnpkg.com/leaflet-vega/-/leaflet-vega-0.8.6.tgz#dd4090a6123cb983c2b732d53ec9e4daa53736b2"
-  integrity sha1-3UCQphI8uYPCtzLVPsnk2qU3NrI=
+"leaflet-vega@npm:@amoo-miki/leaflet-vega@0.8.7":
+  version "0.8.7"
+  resolved "https://registry.yarnpkg.com/@amoo-miki/leaflet-vega/-/leaflet-vega-0.8.7.tgz#8faca1b4b8e2ef7d48667ac6faad9204f4da7153"
+  integrity sha512-T4M5yziwj3Fi9Adsbce+cdWqPjON0BRwEjwqLlPMoirU1vhifA6YKrlZkVzJrK0IIm+hdfMCLkBz33gD8fdxzQ==
   dependencies:
     vega-spec-injector "^0.0.2"
 
@@ -18077,6 +18077,11 @@ vega-hierarchy@~4.1.0:
     vega-dataflow "^5.7.3"
     vega-util "^1.15.2"
 
+"vega-interpreter@npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.5":
+  version "1.0.5"
+  resolved "https://registry.yarnpkg.com/@amoo-miki/vega-forced-csp-compliant-interpreter/-/vega-forced-csp-compliant-interpreter-1.0.5.tgz#49970be9b00ca7e45ced0617fbf373c77a28aab4"
+  integrity sha512-lfeU77lVoUbSCC6N1ywdKg+I6K08xpkd82TLon+LebtKyC8aLCe7P5Dd/89zAPyFwRyobKftHu8z0xpV7R7a4Q==
+
 vega-label@~1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/vega-label/-/vega-label-1.2.0.tgz#bcb2659aec54f890f9debab3e41ab87a58292dce"