Skip to content

fix: OPTIC-1509: Fix information exposure when tasks import failed #7004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mcanu merged 2 commits into from
Feb 5, 2025
Merged

fix: OPTIC-1509: Fix information exposure when tasks import failed #7004

mcanu merged 2 commits into from
Feb 5, 2025

Conversation

@mcanu
Copy link
Contributor

@mcanu mcanu commented Jan 31, 2025
edited
Loading

PR fulfills these requirements

  • Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
  • Tests for the changes have been added/updated (for bug fixes/features)
  • Docs have been added/updated (for bug fixes/features)
  • Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
  • Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Change has impacts in these area(s)

(check all that apply)

  • Product design
  • Backend (Database)
  • Backend (API)
  • Frontend

Describe the reason for change

We got this code scanning alert https://github.com/HumanSignal/label-studio/security/code-scanning/785
Essentially we were showing the uploaded file full paths when importing failed. Now we are only showing the file name so the user knows which file failed.

Before:
image

After:
image

What does this fix?

Security issue by exposing internal info.

What is the new behavior?

Only show the file name.

What is the current behavior?

Showing the full file path

Does this PR introduce a breaking change?

(check only one)

  • Yes, and covered entirely by feature flag(s)
  • Yes, and covered partially by feature flag(s)
  • No
  • Not sure (briefly explain the situation below)

Which logical domain(s) does this change affect?

Import

@sentry
Copy link

sentry bot commented Jan 31, 2025

🔍 Existing Issues For Review

Your pull request is modifying functions with the following pre-existing issues:

📄 File: label_studio/data_import/models.py

Function Unhandled Issue
read_tasks [**ValidationError: "Failed to parse input file upload/124129/d401d952-mini_dataset.json: Unexpected character found...** ...
Event Count: 1
read_tasks [**ValidationError: ["Failed to parse input file upload/123645/aa48eb00-AUDIO_DE-ID_101285436.wav: ErrorDetail(strin...** ...
Event Count: 1
read_tasks [**ValidationError: "Failed to parse input file upload/122801/8be3d3c8-summrise.csv: Error tokenizing data. C error:...** ...
Event Count: 1
read_tasks [**ValidationError: ["Failed to parse input file upload/122801/91052fc3-2011-2015.html: ErrorDetail(string='Your lab...** ...
Event Count: 1
read_tasks [**ValidationError: "Failed to parse input file upload/123389/5801f4a3-project2_dryrun.csv: 'utf-8' codec can't deco...** ...
Event Count: 1

Did you find this useful? React with a 👍 or 👎

@mcanu mcanu changed the title feat: OPTIC-1509: Fix information exposure when tasks import failed fix: OPTIC-1509: Fix information exposure when tasks import failed Jan 31, 2025
@netlify
Copy link

netlify bot commented Jan 31, 2025
edited
Loading

Deploy Preview for label-studio-docs-new-theme canceled.

Name Link
🔨 Latest commit 24967ce
🔍 Latest deploy log https://app.netlify.com/sites/label-studio-docs-new-theme/deploys/67a37fc3e38480000845905d

@netlify
Copy link

netlify bot commented Jan 31, 2025
edited
Loading

Deploy Preview for heartex-docs canceled.

Name Link
🔨 Latest commit 24967ce
🔍 Latest deploy log https://app.netlify.com/sites/heartex-docs/deploys/67a37fc30597a60008b6253c

@codecov
Copy link

codecov bot commented Jan 31, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.98%. Comparing base (57affbe) to head (24967ce).
Report is 1 commits behind head on develop.

Additional details and impacted files 
@@           Coverage Diff            @@
##           develop    #7004   +/-   ##
========================================
  Coverage    76.97%   76.98%           
========================================
  Files          175      175           
  Lines        14178    14181    +3     
========================================
+ Hits         10914    10917    +3     
  Misses        3264     3264
Flag Coverage Δ
pytests 76.98% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@mcanu
Copy link
Contributor Author

mcanu commented Feb 5, 2025
edited by robot-ci-heartex
Loading

/git merge develop

Workflow run
Successfully merged: delete mode 100644 web/tsconfig.json

@mcanu mcanu merged commit 2638f0f into develop Feb 5, 2025
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yyassi-heartex yyassi-heartex yyassi-heartex approved these changes

Assignees

No one assigned

Labels

Confirmed feat fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcanu @yyassi-heartex @robot-ci-heartex