Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[24.2] Set content-type to text/plain if dataset not safe #19563

Open
wants to merge 5 commits into
base: release_24.2
Choose a base branch
from
Open

[24.2] Set content-type to text/plain if dataset not safe #19563

wants to merge 5 commits into from
+184 −53

Conversation

mvdbeek
Copy link
Member

@mvdbeek mvdbeek commented Feb 6, 2025
edited
Loading

We only care about XSS in the context of the webapp, and for that it is sufficient to set the content-type to text/plain.
We might be passing large secondary files through this which has performance implications.

Also adds a sanitization message and a loading indicator for the iframe content if we're hitting a preview route.

Screenshot 2025-02-07 at 20 04 47

The allow list link is only shown for admins.

How to test the changes?

(Select all options that apply)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:

Create an HTML file with a tool that creates HTML files (multiqc, fastqc etc). Click on the eye icon and see that the file is displayed as text if it is not on the allow list. Hardcode content-type on line 647 to text/html to see that now it is rendered as html. Hardcode it back to text/plan and see it displayed as text.

License

  • I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

@mvdbeek mvdbeek marked this pull request as ready for review February 7, 2025 18:55
@github-actions github-actions bot added this to the 25.0 milestone Feb 7, 2025
mvdbeek
mvdbeek commented Feb 7, 2025
View reviewed changes
client/src/entry/analysis/modules/CenterFrame.vue
</script>
<template>
<div class="h-100">
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why that's needed, without the h-100 the default welcome page gets squished into a small-ish box

@mvdbeek mvdbeek requested review from dannon and guerler February 7, 2025 18:58
@mvdbeek mvdbeek force-pushed the replace_sanitize_html branch from c2e8ead to 18851a9 Compare February 7, 2025 18:59
@mvdbeek mvdbeek force-pushed the replace_sanitize_html branch from df23ee8 to c0e4eb4 Compare February 7, 2025 20:48
@mvdbeek
Set content-type to text/plain if dataset not safe
37a3abb 
We only care about XSS in the content of the webapp, and for that it is
sufficient to set the content-type to text/plain.
@mvdbeek
Display warning if ouput sanitized
a8a1c29
@mvdbeek
Expand center-frame to full-height
7a7e066 
Seems required for center page.
@mvdbeek
Test sanitization
6ddf37e
@mvdbeek
Tweak warning message display
49c6d6c
@mvdbeek mvdbeek force-pushed the replace_sanitize_html branch from c0e4eb4 to 49c6d6c Compare February 10, 2025 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martenson martenson martenson approved these changes

@dannon dannon Awaiting requested review from dannon

@guerler guerler Awaiting requested review from guerler

Assignees
No one assigned
Labels
area/API area/performance area/UI-UX kind/bug
Projects
None yet
Milestone
25.0
Development

Successfully merging this pull request may close these issues.
2 participants
@mvdbeek @martenson