[breaking] trust setting to indicate whether input text is trusted

[edemaine]

Here is a draft of a trust setting to indicate whether the input text is trusted (and thus fix #1771), also allowing a function (like we do with strict) to depend on the specific function that we're worried about (advanced usage).

I did not add support for an array of trusted things like I suggested in #1771, in order to keep this simple, but happy to add something like that if we want.

I also have not added any tests; wanted to see if people like this interface first.

[ylemkimon]

I was thinking of a dictionary like:

{
    allowedProtocols: ["https", "http"],
    allowedClass: /katex-.+/,
    ....
}

but I think the function approach is better.

[ylemkimon]

What do you think of deprecating allowedProtocols and allow setting allowed protocols for \url and \href here?

[ylemkimon]

I think we should provide context information as the second argument like:

{
    type: "url",
    url: "https://katex.org/image.png",
    protocol: "https",
    ...
}

or

{
    type: "html",
    class: "my-class",
}

to allow setting across commands and prevent mis-parsing the url.

[edemaine]

@ylemkimon Sorry for the long delay on looking at this. I've just pushed a new proposal where each call to the trust function gets a TrustContext which includes the command but also e.g. url and protocol as you suggested. What do you think?

Here are some sample uses: (which maybe I should add to documentation)

• Forbid specific command: trust: (context) => context.command !== '\includegraphics'
• Allow specific command: trust: (context) => context.command === '\includegraphics'
• Allow specific protocol: trust: (context) => context.protocol === 'http'
• Forbid specific protocol: trust: (context) => context.protocol !== 'file'

I agree that this could replace allowedProtocols, if I test for trust in \url and \href as well. In that case, however, the default trust of false will forbid all \url and \href calls. Is that what we want? Maybe, actually.

[codecov-io]

Codecov Report

Merging #1794 into master will decrease coverage by 0.05%.
The diff coverage is 87.5%.

@@            Coverage Diff             @@
##           master    #1794      +/-   ##
==========================================
- Coverage   93.39%   93.34%   -0.06%     
==========================================
  Files          79       79              
  Lines        4981     4988       +7     
  Branches      872      876       +4     
==========================================
+ Hits         4652     4656       +4     
- Misses        289      291       +2     
- Partials       40       41       +1

Flag	Coverage Δ
#screenshotter	89.06% <28.57%> (-0.1%)	⬇️
#test	86.5% <87.5%> (-0.05%)	⬇️

Impacted Files	Coverage Δ
src/parseNode.js	84.21% <ø> (ø)	⬆️
src/defineFunction.js	93.75% <ø> (ø)	⬆️
src/functions/includegraphics.js	0% <0%> (ø)	⬆️
src/utils.js	93.75% <100%> (+0.64%)	⬆️
src/Settings.js	78.57% <100%> (+2.25%)	⬆️
src/Parser.js	95.29% <100%> (-0.09%)	⬇️
src/functions/href.js	96% <100%> (-4%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fc79f79...c80f5be. Read the comment docs.

[ylemkimon]

Is that what we want? Maybe, actually.

I think we should be as conservative as possible, not allowing anything by default.

[edemaine]

@ylemkimon Agreed, safest does seem like a good default. This will break the existing release, though we can give a setting trust: (context) => ['\\url ', '\\href'].includes(context.command) && ['http', 'https', 'mailto', '_relative'].include s(context.protocol) (already almost an example in the documentation) that mimics the current trust behavior.

This change breaks a lot of tests, which I still need to fix. Also we should either remove or deprecate allowedProtocols.

I think we should try to settle something soon, because #1842 is a pretty critical bug, so once fixed, we're going to want to release -- but I also think we can't release with \includegraphics (already merged) before we have a trust setting.

[kevinbarabash]

@edemaine this is a big change. Thanks for tackling this! ❤️

[ylemkimon]

I think as we're in 0.x (major version zero) stage, we can remove allowedProtocols without deprecation.

[ylemkimon]

protocolFromUrl or getProtocol(FromUrl)

[kevinbarabash]

I'm going to go with protocolFromUrl since we use fooFromBar in a number of places already.

[ylemkimon]

Could you update the PR?

[kevinbarabash]

I resolved the merge conflicts which were due to this PR modifying the /includegraphics docs and the docs being deleted on master. The resolution was to delete them here as well. We can add the docs back in the future once we re-enable /includegraphics after this PR is merged.

[kevinbarabash]

@ylemkimon I can make the changes you requested.

[kevinbarabash]

Looks like there are some flow errors after the merge. I'll fix those up too.

[kevinbarabash]

@edemaine I really like these examples.

[kevinbarabash]

I was thinking of changing to something else, but I think we can just re-enable \includegraphics once this PR is merged.

[kevinbarabash]

The consume was moved out of formatUnsupported to here.

[kevinbarabash]

I'm going to leave this in since we want to re-enable \includegraphics once this lands.

[kevinbarabash]

While this could be restructured to dedupe the url and protocol we may have other commands that are insecure in other ways in the future.

[kevinbarabash]

I had to flip the order to make flow happy. I'll add a link to the issue in the code.

[kevinbarabash]

I'm going to go with protocolFromUrl since we use fooFromBar in a number of places already.

[kevinbarabash]

This comment is great!

[kevinbarabash]

I renamed this PR to having [breaking] in the title as a reminder to ourselves to bump the version when publishing. @ylemkimon I think I've addressed all of your concerns. Please have another look when you have some time.

[edemaine]

Thanks @kevinbarabash for picking up my slack here. (And sorry I've been too busy lately to do it myself.)

Given that \includegraphics was blocking only on this, perhaps the resolution should have been to put it back in? Up to you though.

[edemaine]

It would be nice to replace these with tests of the corresponding trust settings (as in the documentation examples). In general, it would be good to add trust tests. Because trust violations don't throw errors, you could probably just use snapshot tests... Or test for the appropriate parse node.

[kevinbarabash]

Good idea. Will do.

[kevinbarabash]

I've re-added the tests but I had to refactor them a bit to be snapshot tests since \href with trust: false parses, but produces a different parse tree from when trust: true is set.

I've also set the default for the unit tests to trust: false. I can probably remove that setting though since false is the default.

[kevinbarabash]

Given that \includegraphics was blocking only on this, perhaps the resolution should have been to put it back in? Up to you though.

I'd like to keep this PR focused on the new trust setting. Re-enabling \includegraphics will require adding screenshots and tests that are unrelated to rest of this PR. I can create a stacked PR so we can see what those changes look like before this is merged.

[edemaine]

Makes sense. We'll have the old commits anyway to guide the small changes needed for \includegraphics. I don't think it's necessary to stack PRs.

[ylemkimon]

I think this is good to go!