fix: LEAP-383: Fix bad html sanitizer

juliosgarbi commented 11 months ago

To mitigate this vulnerability, the PR includes the installation of the sanitize-html package. This package replaces the insecure regexp-based HTML filtering method, ensuring more robust and secure parsing of HTML content. This change is crucial to uphold our application's security standards and protect against potential exploits.

PR fulfills these requirements

[x] Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
[ ] Tests for the changes have been added/updated (for bug fixes/features)
[ ] Docs have been added/updated (for bug fixes/features)
[x] Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
[x] Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Change has impacts in these area(s)

(check all that apply)

[ ] Product design
[x] Frontend

Describe the reason for change

This PR addresses a high-severity vulnerability identified in the lse-release/2.5.0 and master branches of our project. The issue lies in the improper use of regular expressions for HTML filtering, which poses a risk of cross-site scripting and other security threats.

What does this fix?

The vulnerability, identified as a Bad HTML filtering regexp, impacts the security and integrity of our application. It is currently listed as an open issue with significant weaknesses, including CWE-20, CWE-80, CWE-116, CWE-184, CWE-185, CWE-186

What libraries were added/updated?

"@types/sanitize-html": "^2.9.5", "sanitize-html": "^2.11.0"

Does this change affect performance?

no

Does this change affect security?

no

Does this PR introduce a breaking change?

(check only one)

[ ] Yes, and covered entirely by feature flag(s)
[ ] Yes, and covered partially by feature flag(s)
[x] No
[ ] Not sure (briefly explain the situation below)

What level of testing was included in the change?

(check all that apply)

[ ] e2e
[ ] integration
[ ] unit

juliosgarbi commented 11 months ago

/git merge master

Successfully pushed new changes: Merge remote-tracking branch 'origin/master' into fb-leap-383 (68b81c716a729ff88839d3a19f16d3895f9337b8)

Workflow run

juliosgarbi commented 11 months ago

/git merge master

Already up-to-date. Nothing to commit.

Workflow run

codecov-commenter commented 11 months ago

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (bb1c548) 68.30% compared to head (4a94cc1) 68.28%.

Files	Patch %	Lines
src/utils/html.js	87.50%	1 Missing :warning:

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #1634 +/- ## ========================================== - Coverage 68.30% 68.28% -0.03% ========================================== Files 443 443 Lines 28687 28686 -1 Branches 7629 7628 -1 ========================================== - Hits 19596 19589 -7 - Misses 7841 7845 +4 - Partials 1250 1252 +2 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

HumanSignal / label-studio-frontend