fix(security): disallow marks[].data[].url and data.url in Vega when safe mode is SECURE (#1957)

Author: ggrossetie

vega/src/convert.js

@@ -36,12 +36,25 @@ async function convert (source, options) {
   if (specFormat === 'lite') {
     spec = vegaLite.compile(spec, { logger: nullLogger }).spec
   }
-  if (safeMode === 'secure' && spec && spec.data && Array.isArray(spec.data)) {
-    const dataWithUrlAttribute = spec.data.filter((item) => item.url)
-    if (dataWithUrlAttribute && dataWithUrlAttribute.length > 0) {
+  if (safeMode === 'secure' && spec) {
+    if (spec.data && Array.isArray(spec.data)) {
+      const dataWithUrlAttribute = spec.data.filter((item) => item.url)
+      if (dataWithUrlAttribute && dataWithUrlAttribute.length > 0) {
+        throw new UnsafeIncludeError(`Unable to load data from an URL while running in secure mode.
+Please include your data set as 'values' or run Kroki in unsafe mode using the KROKI_SAFE_MODE environment variable.`)
+      }
+    }
+    if (spec.data && typeof spec.data === 'object' && spec.data.url) {
       throw new UnsafeIncludeError(`Unable to load data from an URL while running in secure mode.
 Please include your data set as 'values' or run Kroki in unsafe mode using the KROKI_SAFE_MODE environment variable.`)
     }
+    if (spec.marks && Array.isArray(spec.marks)) {
+      const dataWithUrlAttribute = spec.marks.flatMap(m => m.data).filter((item) => item && item.url)
+      if (dataWithUrlAttribute && dataWithUrlAttribute.length > 0) {
+        throw new UnsafeIncludeError(`Unable to load data from an URL while running in secure mode.
+Please include your data set as 'values' or run Kroki in unsafe mode using the KROKI_SAFE_MODE environment variable.`)
+      }
+    }
   }
   const view = new vega.View(vega.parse(spec), { renderer: 'none' }).finalize()
   if (format === 'svg') {

vega/tests/test.js

@@ -9,7 +9,7 @@ const sinon = require('sinon')
 const { convert } = require('../src/convert.js')
 
 describe('#convert', function () {
-  it('should throw UnsafeIncludeError in secure mode when the Vega-Lite specification contains data.url', async function () {
+  it('should throw UnsafeIncludeError in secure mode when the Vega-Lite specification contains data[].url', async function () {
     const input = `{
   "data": {"url": "data/cars.json"},
   "mark": "point",
@@ -29,6 +29,93 @@ describe('#convert', function () {
       deepEqual(err.name, 'UnsafeIncludeError')
     }
   })
+  it('should throw UnsafeIncludeError in secure mode when the Vega specification contains data.url', async () => {
+    const input = `{
+  "$schema": "https://vega.github.io/schema/vega/v5.json",
+  "width": 500,
+  "height": 200,
+  "data": {
+    "name": "passwd",
+    "url": "file:///etc/passwd",
+    "format": {
+      "type": "dsv",
+      "delimiter": ":",
+      "header": [
+        "username",
+        "password",
+        "uid",
+        "gid",
+        "comment",
+        "home",
+        "shell"
+      ]
+    }
+  },
+  "marks": [
+    {
+      "type": "text",
+      "from": {
+        "data": "passwd"
+      },
+      "encode": {
+        "enter": {
+          "text": {
+            "signal": "datum.username + ':' + datum.password + ':' + datum.uid + ':' + datum.gid + ':' + datum.comment + ':' + datum.home + ':' + datum.shell"
+          }
+        }
+      }
+    }
+  ],
+  "scales": [
+    {
+      "name": "yscale",
+      "type": "linear",
+      "domain": {
+        "data": "passwd",
+        "field": "index"
+      },
+      "range": [
+        0,
+        1000
+      ]
+    }
+  ]
+}`
+    try {
+      await convert(input, {
+        specFormat: '',
+        safeMode: 'secure',
+        format: 'svg'
+      })
+      fail('', '', 'It should throw an error in secure mode when the Vega-Lite specification contains data.url')
+    } catch (err) {
+      deepEqual(err.name, 'UnsafeIncludeError')
+    }
+  })
+  it('should throw UnsafeIncludeError in secure mode when the Vega specification contains marks[].data[].url', async function () {
+    const input = `{
+  "marks": [
+    {
+      "type": "group",
+      "data": [
+        {
+          "url": "data/cars.json"
+        }
+      ]
+    }
+  ]
+}`
+    try {
+      await convert(input, {
+        specFormat: '',
+        safeMode: 'secure',
+        format: 'svg'
+      })
+      fail('', '', 'It should throw an error in secure mode when the Vega-Lite specification contains data.url')
+    } catch (err) {
+      deepEqual(err.name, 'UnsafeIncludeError')
+    }
+  })
   it('should throw IllegalArgumentError when output format is not supported', async function () {
     const input = `{
   "data": {