fix: LEAP-508: Add noreferrer to external links (#5632)

[According to MDN](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#security_and_privacy), `noopener` is not required anymore, because it's implied automatically > setting target="_blank" implicitly provides the same protection as setting rel="noopener" However `rel="noreferrer"` is important to not reveal anything for 3rd parties. And there is a security issue because of this: https://github.com/HumanSignal/label-studio/security/code-scanning/769 This PR adds `noreferrer` to external links like slack, github or pypi. It doesn't add it to links to our documentation. Also it adds `target="_blank"` to external links that didn't have it. Changed links: - Menu bar — github, slack, pypi - Export modal — github, slack - Invite people — docs - Webhooks — docs - Errors about wrong resource in LSF — link to this resource #### Does this change affect security? Fixes https://github.com/HumanSignal/label-studio/security/code-scanning/769 #### What alternative approaches were there? [Add `noopener`](#5609) but that doesn't make it fully secure --------- Co-authored-by: robot-ci-heartex <robot-ci-heartex@users.noreply.github.com> Co-authored-by: hlomzik <hlomzik@users.noreply.github.com>
HumanSignal · Apr 18, 2024 · 1796c6e · 1796c6e
1 parent 29b1cd7
commit 1796c6e
Show file tree

Hide file tree

Showing 13 changed files with 31 additions and 23 deletions.
diff --git a/web/apps/labelstudio/src/components/Menubar/Menubar.jsx b/web/apps/labelstudio/src/components/Menubar/Menubar.jsx
@@ -233,12 +233,14 @@ export const Menubar = ({
                   href="https://github.com/heartexlabs/label-studio"
                   icon={<LsGitHub/>}
                   target="_blank"
+                  rel="noreferrer"
                 />
                 <Menu.Item
                   label="Slack Community"
                   href="https://slack.labelstud.io/?source=product-menu"
                   icon={<LsSlack/>}
                   target="_blank"
+                  rel="noreferrer"
                 />
 
                 <VersionNotifier showCurrentVersion/>

diff --git a/web/apps/labelstudio/src/components/VersionNotifier/VersionNotifier.jsx b/web/apps/labelstudio/src/components/VersionNotifier/VersionNotifier.jsx
@@ -52,7 +52,7 @@ export const VersionNotifier = ({ showNewVersion, showCurrentVersion }) => {
 
   return (newVersion && showNewVersion) ? (
     <Block tag="li" name="version-notifier">
-      <a href={url} target="_blank">
+      <a href={url} target="_blank" rel="noreferrer">
         <Elem name="icon">
           <IconBell/>
         </Elem>

diff --git a/web/apps/labelstudio/src/pages/ExportPage/ExportPage.jsx b/web/apps/labelstudio/src/pages/ExportPage/ExportPage.jsx
@@ -235,7 +235,13 @@ const FormatInfo = ({ availableFormats, selected, onClick }) => {
       <Elem name="feedback">
         Can't find an export format?
         <br/>
-        Please let us know in <a className="no-go" href="https://slack.labelstud.io/?source=product-export">Slack</a> or submit an issue to the <a className="no-go" href="https://github.com/heartexlabs/label-studio-converter/issues">Repository</a>
+        Please let us know in
+        {" "}
+        <a className="no-go" href="https://slack.labelstud.io/?source=product-export" target="_blank">Slack</a>
+        {" "}
+        or submit an issue to the
+        {" "}
+        <a className="no-go" href="https://github.com/heartexlabs/label-studio-converter/issues" target="_blank" rel="noreferrer">Repository</a>
       </Elem>
     </Block>
   );

diff --git a/web/apps/labelstudio/src/pages/Organization/PeoplePage/PeoplePage.jsx b/web/apps/labelstudio/src/pages/Organization/PeoplePage/PeoplePage.jsx
@@ -26,7 +26,7 @@ const InvitationModal = ({ link }) => {
       />
 
       <Description style={{ width: '70%', marginTop: 16 }}>
-        Invite people to join your Label Studio instance. People that you invite have full access to all of your projects. <a href="https://labelstud.io/guide/signup.html">Learn more</a>.
+        Invite people to join your Label Studio instance. People that you invite have full access to all of your projects. <a href="https://labelstud.io/guide/signup.html" target="_blank">Learn more</a>.
       </Description>
     </Block>
   );

diff --git a/web/apps/labelstudio/src/pages/WebhookPage/WebhookPage.jsx b/web/apps/labelstudio/src/pages/WebhookPage/WebhookPage.jsx
@@ -126,7 +126,7 @@ const Webhook = () => {
         When the specified events occur, a POST request is sent to each of the URLs you provide.
           </p>
           <p>
-            <a href="https://labelstud.io/guide/webhooks.html">Read more in the documentation</a>.
+            <a href="https://labelstud.io/guide/webhooks.html" target="_blank">Read more in the documentation</a>.
           </p>
         </Elem>
       </Elem>

diff --git a/web/dist/apps/labelstudio/main.js b/web/dist/apps/labelstudio/main.js
diff --git a/web/dist/apps/labelstudio/main.js.map b/web/dist/apps/labelstudio/main.js.map
diff --git a/web/dist/apps/labelstudio/version.json b/web/dist/apps/labelstudio/version.json
@@ -1,6 +1,6 @@
 {
-  "message": "Merge branch 'develop' into 'fb-LEAP-1004'",
-  "commit": "2174366308f877c5eed33bb1ba03346e6eb8d76e",
-  "date": "2024-04-16T12:46:28.000Z",
-  "branch": "fb-LEAP-1004"
+  "message": "Merge branch 'develop' into fb-leap-508/external-links",
+  "commit": "48d99bd060d2d0438a5a37dbe846da184ba8c0fc",
+  "date": "2024-04-18T12:29:53.000Z",
+  "branch": "fb-leap-508/external-links"
 }
diff --git a/web/dist/libs/datamanager/version.json b/web/dist/libs/datamanager/version.json
@@ -1,6 +1,6 @@
 {
-  "message": "Merge branch 'develop' into 'fb-LEAP-1004'",
-  "commit": "2174366308f877c5eed33bb1ba03346e6eb8d76e",
-  "date": "2024-04-16T12:46:28.000Z",
-  "branch": "fb-LEAP-1004"
+  "message": "Merge branch 'develop' into fb-leap-508/external-links",
+  "commit": "48d99bd060d2d0438a5a37dbe846da184ba8c0fc",
+  "date": "2024-04-18T12:29:53.000Z",
+  "branch": "fb-leap-508/external-links"
 }
diff --git a/web/dist/libs/editor/main.js b/web/dist/libs/editor/main.js
diff --git a/web/dist/libs/editor/main.js.map b/web/dist/libs/editor/main.js.map
diff --git a/web/dist/libs/editor/version.json b/web/dist/libs/editor/version.json
@@ -1,6 +1,6 @@
 {
-  "message": "Merge branch 'develop' into 'fb-LEAP-1004'",
-  "commit": "2174366308f877c5eed33bb1ba03346e6eb8d76e",
-  "date": "2024-04-16T12:46:28.000Z",
-  "branch": "fb-LEAP-1004"
+  "message": "Merge branch 'develop' into fb-leap-508/external-links",
+  "commit": "48d99bd060d2d0438a5a37dbe846da184ba8c0fc",
+  "date": "2024-04-18T12:29:53.000Z",
+  "branch": "fb-leap-508/external-links"
 }
diff --git a/web/libs/editor/src/utils/messages.jsx b/web/libs/editor/src/utils/messages.jsx
@@ -71,7 +71,7 @@ export default {
         The request parameters are invalid.
         If you are using S3, make sure you’ve specified the right bucket region name.
       </p>
-      <p>URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code></p>
+      <p>URL: <code><a href="${encodeURI(url)}" target="_blank" rel="noreferrer">${htmlEscape(url)}</a></code></p>
     </div>`;
   },
 
@@ -90,7 +90,7 @@ export default {
           <li>Network is reachable</li>
         </ul>
       </p>
-      <p>URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code></p>
+      <p>URL: <code><a href="${encodeURI(url)}" target="_blank" rel="noreferrer">${htmlEscape(url)}</a></code></p>
     </div>`;
   },
 
@@ -114,7 +114,7 @@ export default {
       <p>
         Technical description: <code>${error}</code>
         <br />
-        URL: <code><a href="${encodeURI(url)}" target="_blank">${htmlEscape(url)}</a></code>
+        URL: <code><a href="${encodeURI(url)}" target="_blank" rel="noreferrer">${htmlEscape(url)}</a></code>
       </p>
     </div>`;
   },
-Original file line number
+Diff line change
@@ Expand Up / @@ -126,7 +126,7 @@ const Webhook = () => { @@
             When the specified events occur, a POST request is sent to each of the URLs you provide.
               </p>
               <p>
-                <a href="https://labelstud.io/guide/webhooks.html">Read more in the documentation</a>.
+                <a href="https://labelstud.io/guide/webhooks.html" target="_blank">Read more in the documentation</a>.
               </p>
             </Elem>
           </Elem>
@@ Expand Down @@