fix: remove unsafe-eval CSP (ENG-3437)

redash/settings/__init__.py

@@ -115,7 +115,7 @@
 # for more information. E.g.:
 CONTENT_SECURITY_POLICY = os.environ.get(
     "REDASH_CONTENT_SECURITY_POLICY",
-    "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' *.segment.com *.segment.io *.hotjar.com *.hotjar.io; connect-src 'self' *.segment.com *.segment.io *.hotjar.com *.hotjar.io wss://*.hotjar.com wss://*.hotjar.io; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io *.segment.com *.segment.io *.hotjar.com *.hotjar.io;",
+    "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' *.segment.com *.segment.io *.hotjar.com *.hotjar.io; connect-src 'self' *.segment.com *.segment.io *.hotjar.com *.hotjar.io wss://*.hotjar.com wss://*.hotjar.io; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io *.segment.com *.segment.io *.hotjar.com *.hotjar.io;",
 )
 CONTENT_SECURITY_POLICY_REPORT_URI = os.environ.get("REDASH_CONTENT_SECURITY_POLICY_REPORT_URI", "")
 CONTENT_SECURITY_POLICY_REPORT_ONLY = parse_boolean(

viz-lib/package.json

@@ -91,7 +91,7 @@
     "leaflet.markercluster": "^1.1.0",
     "lodash": "^4.17.10",
     "numeral": "^2.0.6",
-    "plotly.js": "1.58.5",
+    "plotly.js-strict-dist": "^2.32.0",
     "react-pivottable": "^0.9.0",
     "react-sortable-hoc": "^1.10.1",
     "tinycolor2": "^1.4.1",
@@ -113,7 +113,7 @@
     }
   },
   "browser": {
-      "fs": false,
-      "path": false
+    "fs": false,
+    "path": false
   }
 }

viz-lib/src/visualizations/chart/Renderer/CustomPlotlyChart.tsx

@@ -20,7 +20,6 @@ export default function CustomPlotlyChart({ options, data }: any) {
     if (container) {
       const unwatch = resizeObserver(container, () => {
         // Clear existing data with blank data for succeeding codeCall adds data to existing plot.
-        // @ts-expect-error ts-migrate(2345) FIXME: Argument of type 'null' is not assignable to param... Remove this comment to see the full error message
         Plotly.purge(container);
         renderCustomChart(plotlyData.x, plotlyData.ys, container, Plotly);
       });
@@ -31,7 +30,6 @@ export default function CustomPlotlyChart({ options, data }: any) {
   // Cleanup when component destroyed
   useEffect(() => {
     if (container) {
-      // @ts-expect-error ts-migrate(2345) FIXME: Argument of type 'null' is not assignable to param... Remove this comment to see the full error message
       return () => Plotly.purge(container);
     }
   }, [container]);

viz-lib/src/visualizations/chart/Renderer/initChart.ts

@@ -36,7 +36,6 @@ function initPlotUpdater() {
       }
       return updater;
     },
-    // @ts-expect-error ts-migrate(7023) FIXME: 'process' implicitly has return type 'any' because... Remove this comment to see the full error message
     process(plotlyElement: any) {
       if (actions.length > 0) {
         const updates = reduce(actions, (updates, action) => merge(updates, action[0]), {});
@@ -154,7 +153,6 @@ export default function initChart(container: any, options: any, data: any, addit
     initialized: promise.then(() => result),
     setZoomEnabled: createSafeFunction((allowZoom: any) => {
       const layoutUpdates = { dragmode: allowZoom ? "zoom" : false };
-      // @ts-expect-error ts-migrate(2345) FIXME: Argument of type '{ dragmode: string | boolean; }'... Remove this comment to see the full error message
       return Plotly.relayout(container, layoutUpdates);
     }),
     destroy: createSafeFunction(() => {

viz-lib/src/visualizations/chart/plotly/index.ts

@@ -1,4 +1,5 @@
-import * as Plotly from "plotly.js";
+// @ts-ignore
+import * as Plotly from "plotly.js-strict-dist";
 
 import prepareData from "./prepareData";
 import prepareLayout from "./prepareLayout";
@@ -7,7 +8,6 @@ import updateAxes from "./updateAxes";
 import updateChartSize from "./updateChartSize";
 import { prepareCustomChartData, createCustomChartRenderer } from "./customChartUtils";
 
-// @ts-expect-error ts-migrate(2339) FIXME: Property 'setPlotConfig' does not exist on type 't... Remove this comment to see the full error message
 Plotly.setPlotConfig({
   modeBarButtonsToRemove: ["sendDataToCloud"],
 });

viz-lib/src/visualizations/chart/plotly/prepareHeatmapData.ts

@@ -1,7 +1,7 @@
 import { map, max, uniq, sortBy, flatten, find, findIndex } from "lodash";
 import { createNumberFormatter } from "@/lib/value-format";
-// @ts-expect-error ts-migrate(7016) FIXME: Could not find a declaration file for module 'plot... Remove this comment to see the full error message
-import Colorscale from "plotly.js/src/components/colorscale";
+// @ts-ignore
+import Colorscale from "plotly.js-strict-dist";
 import d3 from "d3";
 import chooseTextColorForBackground from "@/lib/chooseTextColorForBackground";
 

viz-lib/src/visualizations/chart/plotly/utils.ts

@@ -1,10 +1,10 @@
 import { isUndefined } from "lodash";
 import moment from "moment";
-// @ts-expect-error ts-migrate(7016) FIXME: Could not find a declaration file for module 'plot... Remove this comment to see the full error message
-import plotlyCleanNumber from "plotly.js/src/lib/clean_number";
+// @ts-ignore
+import Lib from "plotly.js-strict-dist";
 
 export function cleanNumber(value: any) {
-  return isUndefined(value) ? value : plotlyCleanNumber(value);
+  return isUndefined(value) ? value : Lib.cleanNumber(value);
 }
 
 export function getSeriesAxis(series: any, options: any) {