file-preview: make sure sharing files is secure

[mdonadoni]

REANA allows to preview some files directly from the web UI.

In particular, reana-workflow-controller can set the following content types when returning the contents of a file:

reana-workflow-controller/reana_workflow_controller/config.py

Lines 55 to 56 in e36c6a2

	PREVIEWABLE_MIME_TYPE_PREFIXES = ["image/", "text/html", "application/pdf"]
	"""List of file mime-type prefixes that can be previewed directly from the server."""

This can become a problem in case of shared workflows, as now the user creating the file can be different from the one previewing them. Consider for example text/html files: there is now a risk of XSS, as the HTML page might contain harmful Javascript code. Not only that, the page is also served from the same domain as the main REANA web interface, so HTTP requests sent from these shared files are not stopped by security mechanisms such as same-origin policy.

We should investigate whether sharing files between users is vulnerable (XSS, others) with the current setup, and if so we should look into possible solutions like (even multiples at the same time):

• disallowing the preview of dangerous files from shared workflows (but some HTML files might be useful, like Snakemake reports)
• tighter Content Security Policy (CSP) (e.g. do we need to run Javascript?)
• serving files from a separate domain
• DOMPurify (for HTML pages)
• other?

We should also consider that files might be used to share viruses/malwares.

[mdonadoni]

Maybe relevant: https://making.close.com/posts/rendering-untrusted-html-email-safely