From 758075481d7512f1e2edd6f83e1c4b11819d653c Mon Sep 17 00:00:00 2001 From: Miki Date: Wed, 14 Sep 2022 15:17:42 -0700 Subject: [PATCH] [backport 1.0] Use a forced CSP-compliant interpreter with Vega backport PR:https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2352 Signed-off-by: Anan Zhuang --- package.json | 3 ++- src/plugins/vis_type_vega/public/lib/vega.js | 3 ++- .../public/vega_view/vega_base_view.js | 5 ++++- .../vis_type_vega/public/vega_view/vega_map_view.js | 1 + .../vis_type_vega/public/vega_view/vega_view.js | 5 ++++- yarn.lock | 13 +++++++++---- 6 files changed, 22 insertions(+), 8 deletions(-) diff --git a/package.json b/package.json index 145bfcea37bb..ae090a7e9e46 100644 --- a/package.json +++ b/package.json @@ -413,7 +413,7 @@ "leaflet": "1.5.1", "leaflet-draw": "0.4.14", "leaflet-responsive-popup": "0.6.4", - "leaflet-vega": "^0.8.6", + "leaflet-vega": "npm:@amoo-miki/leaflet-vega@0.8.8", "leaflet.heat": "0.2.0", "less": "npm:@elastic/less@2.7.3-kibana", "license-checker": "^16.0.0", @@ -461,6 +461,7 @@ "typescript": "4.0.2", "ui-select": "0.19.8", "vega": "^5.17.3", + "vega-interpreter": "npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.6", "vega-lite": "^4.16.8", "vega-schema-url-parser": "^2.1.0", "vega-tooltip": "^0.24.2", diff --git a/src/plugins/vis_type_vega/public/lib/vega.js b/src/plugins/vis_type_vega/public/lib/vega.js index dbd3a90cd29f..d178d25c5057 100644 --- a/src/plugins/vis_type_vega/public/lib/vega.js +++ b/src/plugins/vis_type_vega/public/lib/vega.js @@ -32,5 +32,6 @@ import * as vegaLite from 'vega-lite/build-es5/vega-lite'; import * as vega from 'vega/build-es5/vega'; +import { expressionInterpreter as vegaExpressionInterpreter } from 'vega-interpreter/build/vega-interpreter.module'; -export { vega, vegaLite }; +export { vega, vegaLite, vegaExpressionInterpreter }; diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js index a93d991dec00..8d8ef558dd4a 100644 --- a/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js +++ b/src/plugins/vis_type_vega/public/vega_view/vega_base_view.js @@ -33,7 +33,7 @@ import $ from 'jquery'; import moment from 'moment'; import dateMath from '@elastic/datemath'; -import { vega, vegaLite } from '../lib/vega'; +import { vega, vegaLite, vegaExpressionInterpreter } from '../lib/vega'; import { Utils } from '../data_model/utils'; import { euiPaletteColorBlind } from '@elastic/eui'; import { i18n } from '@osd/i18n'; @@ -81,6 +81,7 @@ export class VegaBaseView { this._timefilter = opts.timefilter; this._view = null; this._vegaViewConfig = null; + this._vegaViewOptions = null; this._$messages = null; this._destroyHandlers = []; this._initialized = false; @@ -132,6 +133,7 @@ export class VegaBaseView { }); this._vegaViewConfig = this.createViewConfig(); + this._vegaViewOptions = { ast: true }; // The derived class should create this method await this._initViewCustomizations(); @@ -187,6 +189,7 @@ export class VegaBaseView { // eslint-disable-next-line import/namespace logLevel: vega.Warn, // note: eslint has a false positive here renderer: this._parser.renderer, + expr: vegaExpressionInterpreter, }; // Override URL sanitizer to prevent external data loading (if disabled) diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js index d300d5246736..8ecb4f0ef391 100644 --- a/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js +++ b/src/plugins/vis_type_vega/public/vega_view/vega_map_view.js @@ -146,6 +146,7 @@ export class VegaMapView extends VegaBaseView { bindingsContainer: this._$controls.get(0), delayRepaint: mapConfig.delayRepaint, viewConfig: this._vegaViewConfig, + viewOptions: this._vegaViewOptions, onWarning: this.onWarn.bind(this), onError: this.onError.bind(this), }, diff --git a/src/plugins/vis_type_vega/public/vega_view/vega_view.js b/src/plugins/vis_type_vega/public/vega_view/vega_view.js index 80ed4e5edc11..d60a953b2385 100644 --- a/src/plugins/vis_type_vega/public/vega_view/vega_view.js +++ b/src/plugins/vis_type_vega/public/vega_view/vega_view.js @@ -38,7 +38,10 @@ export class VegaView extends VegaBaseView { // In some cases, Vega may be initialized twice... TBD if (!this._$container) return; - const view = new vega.View(vega.parse(this._parser.spec), this._vegaViewConfig); + const view = new vega.View( + vega.parse(this._parser.spec, null, this._vegaViewOptions), + this._vegaViewConfig + ); view.warn = this.onWarn.bind(this); view.error = this.onError.bind(this); diff --git a/yarn.lock b/yarn.lock index d7a90a621c98..871c97b44059 100644 --- a/yarn.lock +++ b/yarn.lock @@ -15712,10 +15712,10 @@ leaflet-responsive-popup@0.6.4: resolved "https://registry.yarnpkg.com/leaflet-responsive-popup/-/leaflet-responsive-popup-0.6.4.tgz#b93d9368ef9f96d6dc911cf5b96d90e08601c6b3" integrity sha512-2D8G9aQA6NHkulDBPN9kqbUCkCpWQQ6dF0xFL11AuEIWIbsL4UC/ZPP5m8GYM0dpU6YTlmyyCh1Tz+cls5Q4dg== -leaflet-vega@^0.8.6: - version "0.8.6" - resolved "https://registry.yarnpkg.com/leaflet-vega/-/leaflet-vega-0.8.6.tgz#dd4090a6123cb983c2b732d53ec9e4daa53736b2" - integrity sha1-3UCQphI8uYPCtzLVPsnk2qU3NrI= +"leaflet-vega@npm:@amoo-miki/leaflet-vega@0.8.8": + version "0.8.8" + resolved "https://registry.yarnpkg.com/@amoo-miki/leaflet-vega/-/leaflet-vega-0.8.8.tgz#675abf37d72fbea859755e982f4fd19dea776557" + integrity sha512-W2gGgFDxzy/XUx+fQJfz0NYVXsKl7V+G6QywiMcOV5NEodDId9c60up7NNf+cfM7ggpo+5BuLqrKmosuGO1CsA== dependencies: vega-spec-injector "^0.0.2" @@ -24387,6 +24387,11 @@ vega-hierarchy@~4.0.9: vega-dataflow "^5.7.3" vega-util "^1.15.2" +"vega-interpreter@npm:@amoo-miki/vega-forced-csp-compliant-interpreter@1.0.6": + version "1.0.6" + resolved "https://registry.yarnpkg.com/@amoo-miki/vega-forced-csp-compliant-interpreter/-/vega-forced-csp-compliant-interpreter-1.0.6.tgz#5cffdf12b7fe12dc936194edd9e8519506c38716" + integrity sha512-9S5nTTVd8JVKobcWp5iwirIeePiamwH1J9uSZPuG5kcF0TUBvGu++ERKjNdst5Qck7e4R6/7vjx2wVf58XUarg== + vega-label@~1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/vega-label/-/vega-label-1.0.0.tgz#c3bea3a608a62217ca554ecc0f7fe0395d81bd1b"