fix: DEV-3212: Add validation to avoid users import local files using URL

[guilhermemachado26]

Description of the proposed changes

LS users are able to use data import functionality to access local files on the running system, including environment variables, etc. This is achieved by using file:// url schema (ie. file:///etc/passwd).

Submitting a URL like this will cause Label Studio to fetch the local file and add it to the project, which can then be accessed in the /data/uploads folder.

Jira Ticket

https://heartex.atlassian.net/browse/DEV-3212

[swarmia]

✅  Linked to Story DEV-3212 · Add validation to avoid users import local files using URL

[farioas]

This is not the case. Now users lost ability to import files from local filesystem. I'd like to suggest restrict usage of "file://" to label-studio DATA_DIR or HOME_DIR

@makseq what do you think?

[codecov]

Codecov Report

Merging #2840 (14c58a1) into develop (17b40da) will decrease coverage by 0.75%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #2840      +/-   ##
===========================================
- Coverage    77.80%   77.04%   -0.76%     
===========================================
  Files          137      144       +7     
  Lines         9951    10601     +650     
===========================================
+ Hits          7742     8168     +426     
- Misses        2209     2433     +224     

Impacted Files	Coverage Δ
label_studio/label_studio/users/mixins.py	75.00% <0.00%> (-12.50%)	⬇️
...bel_studio/label_studio/organizations/functions.py	66.66% <0.00%> (-10.26%)	⬇️
...l_studio/label_studio/core/templatetags/filters.py	48.75% <0.00%> (-6.20%)	⬇️
..._studio/label_studio/core/settings/label_studio.py	94.28% <0.00%> (-5.72%)	⬇️
.../label_studio/data_manager/actions/experimental.py	14.79% <0.00%> (-4.72%)	⬇️
label_studio/label_studio/tasks/api.py	88.26% <0.00%> (-4.43%)	⬇️
label_studio/label_studio/ml/api.py	86.17% <0.00%> (-4.38%)	⬇️
label_studio/label_studio/ml/serializers.py	92.30% <0.00%> (-2.43%)	⬇️
label_studio/label_studio/core/utils/contextlog.py	44.55% <0.00%> (-2.33%)	⬇️
label_studio/label_studio/tasks/serializers.py	84.27% <0.00%> (-2.27%)	⬇️
... and 60 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[makseq]

This is not the case. Now users lost ability to import files from local filesystem. I'd like to suggest restrict usage of "file://" to label-studio DATA_DIR or HOME_DIR

@makseq what do you think?

We have Local Storage functionality for file access on hard drives. It works the same way as you described, so I think it's ok to restrict file:// access here. Local Storage is more controllable and obvious way to do it.