Google flagging DT tables as virus/malware?

[gorkang]

Starting a few days ago, after sharing in Google Drive Rmarkdown html reports with a few DT::datatable() tables, I received emails from Google Drive Safety (drivesafety-noreply@google.com) with the following content:

Your file may violate Google Drive's Terms of Service

"report_DF_clean.html" contains content that may violate Google Drive's Malware and Similar Malicious Content policy. Some features related to this file may have been restricted. If you think this is an error and would like the Trust & Safety team to review this file, request a review below.

The html report in question is just a bunch of DT::datatable() tables in tabsets.

Afterwards, I received a second email from Google Policy Violation Warning telling me If this behavior continues, your access to this product may be disabled. (this product being Google Drive).

I posted the issue in community.rstudio and Kim.Cressman pointed a related issue when attaching html files with DT tables inside in Gmail.

Any idea about what is happening and how to avoid it? Not being able to share the html reports with DT tables inside, and/or risking losing access to Google Drive is very disrupting...

Thanks in advance!

---

By filing an issue to this repo, I promise that

• [ x ] I have fully read the issue guide at https://yihui.org/issue/.
• [ x ] I have provided the necessary information about my issue.
  • If I'm asking a question, I have already asked it on Stack Overflow or RStudio Community, waited for at least 24 hours, and included a link to my question there.
  • If I'm filing a bug report, I have included a minimal, self-contained, and reproducible example, and have also included xfun::session_info('DT'). I have upgraded all my packages to their latest versions (e.g., R, RStudio, and R packages), and also tried the development version: remotes::install_github('rstudio/DT').
  • If I have posted the same issue elsewhere, I have also mentioned it in this issue.
• [ x ] I have learned the Github Markdown syntax, and formatted my issue correctly.

I understand that my issue may be closed if I don't fulfill my promises.

[philibe]

Have you a reproducible example (reprex) ?

If your html is from DT, the issue could be from :

• https://datatables.net/reference/button/ (therefore to post an issue, with reprex, on https://datatables.net/forums )

If your html is from Rmarkdown, the issue could be from :

• https://github.com/rstudio/rmarkdown (therefore to post an issue, with reprex, on https://github.com/rstudio/rmarkdown/issues )

In general html files are blocked when there is lot of javascript within.

PS: I am simple developer, not from rstudio/DT team.

[gorkang]

Hi @philibe . I believe there is nothing special about the file causing issues other than the DT datatables and a ggplot.

In any case, here it is: report_PROBLEMS.zip

Googling around, it seems jQuery 3.6.0 (the version embedded in the html created) seems to have some sort of security issue: jquery/jquery#5062

Maybe an update to the jQuery library used by DT is needed?

[gorkang]

After some more digging, I started deleting bits from the html file (report_VIRUS.html) inside reports.zip, and attempting to attach the resulting file to a gmail message.

The original file would trigger a "Virus detected!" message.

Getting rid of the jQuery code, and any others I tried, did not solve the issue.

The completely absurd way to get rid of the problem was to delete the following comment (yes, only the comment):

// some helper functions: using a global object DTWidget so that it can be used
// in JS() code, e.g. datatable(options = list(foo = JS('code'))); unlike R's
// dynamic scoping, when 'code' is eval()'ed, JavaScript does not know objects
// from the "parent frame", e.g. JS('DTWidget') will not work unless it was made
// a global object

That is the only difference between the two files attached.

The resulting file report_OK.html passes the Gmail virus detection:

[yihui]

That's funny... Thanks a lot for the investigation! Could you try to only delete eval() in the comment and see if it still triggers the message?

[gorkang]

Oh, just for fun, I was curious about what exact part in that comment was causing the issues.

And of course, is the eval() bit.

So, this will cause the issue;

// dynamic scoping, when 'code' is eval()'ed, JavaScript does not know objects

But this is completely fine

// dynamic scoping, when 'code' is eval'ed, JavaScript does not know objects

[gorkang]

That's funny... Thanks a lot for the investigation! Could you try to only delete eval() in the comment and see if it still triggers the message?

Oh, you posted this just as I was trying that and responding! :)

[yihui]

Okay, I'll get rid of () :)

[gorkang]

Okay, I'll get rid of () :)

Let me know if you want me to do a Pull request! 🤣 (kidding, of course)

Thanks!

[philibe]

IMHO it's too heavy (11Mo of rds), too complex html (many many js in html).

Instead of big html:

• Why you don't upload *.Rmd instead of html ? (for R Users)
• Why you don't upload *.pdf from rmarkdown instead of html ?

And in html there potentially suspicious elements for Google:

• base64 javascript <script src="[data:application/javascript;base64,LyohIGhpZ2hsaWdodC5qcyB2OS4xM ... which seems to be https://github.com/highlightjs/highlight.js.

I wont be surprised that Google don't like base64 javascript in uploaded html files

I don't think that Rmarkdown was thinked and usable for export in its html form within javascript Rmarkdown engine inside. Even it was thinked for that, I could understand that Google blocks sometimes these big and complex html file. :)

[yihui]

Parentheses deleted. I'll make a new CRAN release soon.

[yihui]

FYI the new version is on CRAN now: https://cran.r-project.org/package=DT