Skip to content

Commit

Permalink
Use a forced CSP-compliant interpreter with Vega visualizations (#2352)
Browse files Browse the repository at this point in the history
* Pass `options` to `vega.parse` to enable inclusion of parsed ASTs
* Introduce the forced CSP-compliant interpreter that prevents evaluation of unsafe methods
* Modified the consumed `leaflet-vega` package to one that honors `options`

Signed-off-by: Miki <miki@amazon.com>
Co-authored-by: Anan Zhuang <ananzh@amazon.com>

(cherry picked from commit bebbcca)
  • Loading branch information
ananzh authored Sep 15, 2022
1 parent 3877f98 commit 553d509
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 8 deletions.
3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@
"leaflet": "1.5.1",
"leaflet-draw": "0.4.14",
"leaflet-responsive-popup": "0.6.4",
"leaflet-vega": "^0.8.6",
"leaflet-vega": "npm:@amoo-miki/leaflet-vega@0.8.8",
"leaflet.heat": "0.2.0",
"less": "npm:@elastic/less@2.7.3-kibana",
"license-checker": "^16.0.0",
Expand Down Expand Up @@ -459,6 +459,7 @@
"typescript": "4.0.2",
"ui-select": "0.19.8",
"vega": "^5.17.3",
"vega-interpreter": "npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.6",
"vega-lite": "^4.16.8",
"vega-schema-url-parser": "^2.1.0",
"vega-tooltip": "^0.24.2",
Expand Down
3 changes: 2 additions & 1 deletion src/plugins/vis_type_vega/public/lib/vega.js
Original file line number Diff line number Diff line change
Expand Up @@ -32,5 +32,6 @@

import * as vegaLite from 'vega-lite/build-es5/vega-lite';
import * as vega from 'vega/build-es5/vega';
import { expressionInterpreter as vegaExpressionInterpreter } from 'vega-interpreter/build/vega-interpreter.module';

export { vega, vegaLite };
export { vega, vegaLite, vegaExpressionInterpreter };
5 changes: 4 additions & 1 deletion src/plugins/vis_type_vega/public/vega_view/vega_base_view.js
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
import $ from 'jquery';
import moment from 'moment';
import dateMath from '@elastic/datemath';
import { vega, vegaLite } from '../lib/vega';
import { vega, vegaLite, vegaExpressionInterpreter } from '../lib/vega';
import { Utils } from '../data_model/utils';
import { euiPaletteColorBlind } from '@elastic/eui';
import { i18n } from '@osd/i18n';
Expand Down Expand Up @@ -81,6 +81,7 @@ export class VegaBaseView {
this._timefilter = opts.timefilter;
this._view = null;
this._vegaViewConfig = null;
this._vegaViewOptions = null;
this._$messages = null;
this._destroyHandlers = [];
this._initialized = false;
Expand Down Expand Up @@ -132,6 +133,7 @@ export class VegaBaseView {
});

this._vegaViewConfig = this.createViewConfig();
this._vegaViewOptions = { ast: true };

// The derived class should create this method
await this._initViewCustomizations();
Expand Down Expand Up @@ -187,6 +189,7 @@ export class VegaBaseView {
// eslint-disable-next-line import/namespace
logLevel: vega.Warn, // note: eslint has a false positive here
renderer: this._parser.renderer,
expr: vegaExpressionInterpreter,
};

// Override URL sanitizer to prevent external data loading (if disabled)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ export class VegaMapView extends VegaBaseView {
bindingsContainer: this._$controls.get(0),
delayRepaint: mapConfig.delayRepaint,
viewConfig: this._vegaViewConfig,
viewOptions: this._vegaViewOptions,
onWarning: this.onWarn.bind(this),
onError: this.onError.bind(this),
},
Expand Down
5 changes: 4 additions & 1 deletion src/plugins/vis_type_vega/public/vega_view/vega_view.js
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,10 @@ export class VegaView extends VegaBaseView {
// In some cases, Vega may be initialized twice... TBD
if (!this._$container) return;

const view = new vega.View(vega.parse(this._parser.spec), this._vegaViewConfig);
const view = new vega.View(
vega.parse(this._parser.spec, null, this._vegaViewOptions),
this._vegaViewConfig
);

view.warn = this.onWarn.bind(this);
view.error = this.onError.bind(this);
Expand Down
13 changes: 9 additions & 4 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -15724,10 +15724,10 @@ leaflet-responsive-popup@0.6.4:
resolved "https://registry.yarnpkg.com/leaflet-responsive-popup/-/leaflet-responsive-popup-0.6.4.tgz#b93d9368ef9f96d6dc911cf5b96d90e08601c6b3"
integrity sha512-2D8G9aQA6NHkulDBPN9kqbUCkCpWQQ6dF0xFL11AuEIWIbsL4UC/ZPP5m8GYM0dpU6YTlmyyCh1Tz+cls5Q4dg==

leaflet-vega@^0.8.6:
version "0.8.6"
resolved "https://registry.yarnpkg.com/leaflet-vega/-/leaflet-vega-0.8.6.tgz#dd4090a6123cb983c2b732d53ec9e4daa53736b2"
integrity sha1-3UCQphI8uYPCtzLVPsnk2qU3NrI=
"leaflet-vega@npm:@amoo-miki/leaflet-vega@0.8.8":
version "0.8.8"
resolved "https://registry.yarnpkg.com/@amoo-miki/leaflet-vega/-/leaflet-vega-0.8.8.tgz#675abf37d72fbea859755e982f4fd19dea776557"
integrity sha512-W2gGgFDxzy/XUx+fQJfz0NYVXsKl7V+G6QywiMcOV5NEodDId9c60up7NNf+cfM7ggpo+5BuLqrKmosuGO1CsA==
dependencies:
vega-spec-injector "^0.0.2"

Expand Down Expand Up @@ -24397,6 +24397,11 @@ vega-hierarchy@~4.0.9:
vega-dataflow "^5.7.3"
vega-util "^1.15.2"

"vega-interpreter@npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.6":
version "1.0.6"
resolved "https://registry.yarnpkg.com/@amoo-miki/vega-forced-csp-compliant-interpreter/-/vega-forced-csp-compliant-interpreter-1.0.6.tgz#5cffdf12b7fe12dc936194edd9e8519506c38716"
integrity sha512-9S5nTTVd8JVKobcWp5iwirIeePiamwH1J9uSZPuG5kcF0TUBvGu++ERKjNdst5Qck7e4R6/7vjx2wVf58XUarg==

vega-label@~1.0.0:
version "1.0.0"
resolved "https://registry.yarnpkg.com/vega-label/-/vega-label-1.0.0.tgz#c3bea3a608a62217ca554ecc0f7fe0395d81bd1b"
Expand Down

0 comments on commit 553d509

Please sign in to comment.