Use a forced CSP-compliant interpreter with Vega visualizations

[AMoo-Miki]

• Pass options to vega.parse to enable inclusion of parsed ASTs
• Introduce the forced CSP-compliant interpreter that prevents evaluation of unsafe methods
• Modified the consumed leaflet-vega package to one that honors options

Signed-off-by: Miki miki@amazon.com

Check List

• New functionality includes testing.
  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
• New functionality has been documented.
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #2352 (6751076) into main (77af7f9) will decrease coverage by 0.00%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main    #2352      +/-   ##
==========================================
- Coverage   66.55%   66.55%   -0.01%     
==========================================
  Files        3169     3170       +1     
  Lines       60313    60318       +5     
  Branches     9182     9181       -1     
==========================================
+ Hits        40141    40144       +3     
- Misses      17979    17981       +2     
  Partials     2193     2193              

Impacted Files	Coverage Δ
...ns/vis_type_vega/public/vega_view/vega_map_view.js	54.34% <ø> (ø)
...s/vis_type_vega/public/vega_view/vega_base_view.js	56.09% <100.00%> (+0.54%)	⬆️
...lugins/vis_type_vega/public/vega_view/vega_view.js	100.00% <100.00%> (ø)
...izard/public/application/utils/use/use_can_save.ts	11.11% <0.00%> (-1.39%)	⬇️
...public/visualizations/vislib/area/to_expression.ts	9.09% <0.00%> (ø)
...public/visualizations/vislib/line/to_expression.ts	9.09% <0.00%> (ø)
...c/visualizations/vislib/histogram/to_expression.ts	9.09% <0.00%> (ø)
...isualizations/vislib/common/get_pipeline_params.ts	33.33% <0.00%> (ø)
...rd/public/application/utils/get_top_nav_config.tsx	3.22% <0.00%> (+0.19%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ashwin-pc]

@AMoo-Miki

1. Have we pushed the fix upstream to the vega repo?
2. Do we have an issue to track removing the dependency on your repo once vega fixes the CVE?

[kavilla]

is there plan to use an official fork? I think in the past there was a previous issue where people questioned using a personalized dependency

[ananzh]

@AMoo-Miki

1. Have we pushed the fix upstream to the vega repo?
2. Do we have an issue to track removing the dependency on your repo once vega fixes the CVE?

for [1], no. vega PR is under review. leaflet-vega hasn't been reviewed yet.
for [2], #2353

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2352-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bebbcca30d4b3f43c800eb5360681d2072d0ba7c
# Push it to GitHub
git push --set-upstream origin backport/backport-2352-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-2352-to-1.x.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2352-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bebbcca30d4b3f43c800eb5360681d2072d0ba7c
# Push it to GitHub
git push --set-upstream origin backport/backport-2352-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2352-to-1.3.

[opensearch-trigger-bot]

The backport to 1.2 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.2 1.2
# Navigate to the new working tree
cd .worktrees/backport-1.2
# Create a new branch
git switch --create backport/backport-2352-to-1.2
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bebbcca30d4b3f43c800eb5360681d2072d0ba7c
# Push it to GitHub
git push --set-upstream origin backport/backport-2352-to-1.2
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.2

Then, create a pull request where the base branch is 1.2 and the compare/head branch is backport/backport-2352-to-1.2.

[opensearch-trigger-bot]

The backport to 1.1 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.1 1.1
# Navigate to the new working tree
cd .worktrees/backport-1.1
# Create a new branch
git switch --create backport/backport-2352-to-1.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bebbcca30d4b3f43c800eb5360681d2072d0ba7c
# Push it to GitHub
git push --set-upstream origin backport/backport-2352-to-1.1
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.1

Then, create a pull request where the base branch is 1.1 and the compare/head branch is backport/backport-2352-to-1.1.

[opensearch-trigger-bot]

The backport to 1.0 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.0 1.0
# Navigate to the new working tree
cd .worktrees/backport-1.0
# Create a new branch
git switch --create backport/backport-2352-to-1.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bebbcca30d4b3f43c800eb5360681d2072d0ba7c
# Push it to GitHub
git push --set-upstream origin backport/backport-2352-to-1.0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.0

Then, create a pull request where the base branch is 1.0 and the compare/head branch is backport/backport-2352-to-1.0.