This can become a problem in case of shared workflows, as now the user creating the file can be different from the one previewing them. Consider for example text/html files: there is now a risk of XSS, as the HTML page might contain harmful Javascript code. Not only that, the page is also served from the same domain as the main REANA web interface, so HTTP requests sent from these shared files are not stopped by security mechanisms such as same-origin policy.
We should investigate whether sharing files between users is vulnerable (XSS, others) with the current setup, and if so we should look into possible solutions like (even multiples at the same time):
disallowing the preview of dangerous files from shared workflows (but some HTML files might be useful, like Snakemake reports)
mdonadoni
commented
2 months ago
REANA allows to preview some files directly from the web UI.
In particular, reana-workflow-controller can set the following content types when returning the contents of a file: https://github.com/reanahub/reana-workflow-controller/blob/e36c6a2010f9f4ad15a1cb1bc04d8e19f6c154fa/reana_workflow_controller/config.py#L55-L56
This can become a problem in case of shared workflows, as now the user creating the file can be different from the one previewing them. Consider for example
text/htmlfiles: there is now a risk of XSS, as the HTML page might contain harmful Javascript code. Not only that, the page is also served from the same domain as the main REANA web interface, so HTTP requests sent from these shared files are not stopped by security mechanisms such as same-origin policy.We should investigate whether sharing files between users is vulnerable (XSS, others) with the current setup, and if so we should look into possible solutions like (even multiples at the same time):
We should also consider that files might be used to share viruses/malwares.