Merge pull request #334 from HASEL-UZH/dev

Merge dev into main

documentation/PRIVACY.md

@@ -15,7 +15,7 @@ As mentioned above, all data is stored locally only on participant's machines. U
 Should a user want to modify and/or delete their data, they can do so directly in the sqlite-file. No other copies of the data exists, unless the user made them. 
 
 ## Sharing Collected Data
-In case users are running PersonalAnalytics during a scientific study, the researchers might ask the users (or in this context, participants) to share their data with the reseachers. To that purpose, we recommend using the built-in data obfuscation and export feature, which allows users to understand what the data will be used for as part of the research project, review the collected data and decide which data they want to share and/or obfuscate. Afterwards, an encrypted and password-protected export-file is created which can be shared with the researchers per their instructions. The data export tool can be accessed by clicking "Export Data" in the taskbar icon (on Windows) or menubar (on macOS).
+In case users are running PersonalAnalytics during a scientific study, the researchers might ask the users (or in this context, participants) to share their data with the reseachers. To that purpose, we recommend using the built-in data obfuscation and export feature, which allows users to understand what the data will be used for as part of the research project, review the collected data and decide which data they want to share and/or obfuscate. Afterwards, an encrypted and password-protected (if enabled in config) file is created which can be shared with the researchers per their instructions. The data export tool can be accessed by clicking "Export Data" in the taskbar icon (on Windows) or menubar (on macOS).
 
 ## Note on Using PersonalAnalytics
 Note that the creators of PersonalAnalytics can in no way be held liable against use, misuse or problems that arise from using the app. The app was developed as a public, open-source application that can be freely used and extended (with [correct attribution](https://github.com/HASEL-UZH/PersonalAnalytics/blob/main/documentation/RESEARCH.md). The researchers are responsible for informing users (or participants) of the usage of PersonalAnalytics, collected data and usage of any data that is shared with researchers, as well as data privacy and data security. 

src/electron/electron-builder.config.cjs

@@ -13,7 +13,7 @@ module.exports = {
     repo: 'PersonalAnalytics'
   },
   mac: {
-    artifactName: '${productName}-Mac-${version}-Installer.${ext}',
+    artifactName: '${productName}-${version}-${env.MAC_ARCH_TYPE}.${ext}',
     asarUnpack: ['node_modules/**/*.node'],
     entitlements: 'build/entitlements.mac.plist',
     entitlementsInherit: 'build/entitlements.mac.plist',
@@ -41,14 +41,11 @@ module.exports = {
     writeUpdateInfo: false
   },
   win: {
-    artifactName: '${productName}-Windows-${version}-Setup.${ext}'
+    artifactName: '${productName}-${version}-Windows.${ext}'
   },
   nsis: {
     oneClick: true,
     deleteAppDataOnUninstall: false,
     differentialPackage: false
-  },
-  linux: {
-    artifactName: '${productName}-Linux-${version}.${ext}'
   }
 };

src/electron/electron/ipc/IpcHandler.ts

@@ -17,6 +17,8 @@ import UserInputDto from '../../shared/dto/UserInputDto';
 import WindowActivityDto from '../../shared/dto/WindowActivityDto';
 import ExperienceSamplingDto from '../../shared/dto/ExperienceSamplingDto';
 import { is } from '../main/services/utils/helpers';
+import { JSDOM } from 'jsdom';
+import DOMPurify from 'dompurify';
 
 const LOG = getMainLogger('IpcHandler');
 
@@ -107,10 +109,19 @@ export class IpcHandler {
 
   private async getStudyInfo(): Promise<StudyInfoDto> {
     const settings: Settings = await Settings.findOne({ where: { onlyOneEntityShouldExist: 1 } });
+
+    const window = new JSDOM('').window;
+    const purify = DOMPurify(window);
+
+    const cleanDescription = purify.sanitize(studyConfig.shortDescription, {
+      ALLOWED_TAGS: ['a', 'b', 'br', 'i', 'li', 'p', 'strong', 'u', 'ul'],
+      ADD_ATTR: ['target']
+    });
+
     return {
       studyName: settings.studyName,
       subjectId: settings.subjectId,
-      shortDescription: studyConfig.shortDescription,
+      shortDescription: cleanDescription,
       infoUrl: studyConfig.infoUrl,
       privacyPolicyUrl: studyConfig.privacyPolicyUrl,
       contactName: studyConfig.contactName,
@@ -141,12 +152,14 @@ export class IpcHandler {
   private async startDataExport(
     windowActivityExportType: DataExportType,
     userInputExportType: DataExportType,
-    obfuscationTerms: string[]
+    obfuscationTerms: string[],
+    encryptData: boolean
   ): Promise<string> {
     return this.dataExportService.startDataExport(
       windowActivityExportType,
       userInputExportType,
-      obfuscationTerms
+      obfuscationTerms,
+      encryptData
     );
   }
 

src/electron/electron/main/services/DataExportService.ts

@@ -19,7 +19,8 @@ export class DataExportService {
   public async startDataExport(
     windowActivityExportType: DataExportType,
     userInputExportType: DataExportType,
-    obfuscationTerms: string[]
+    obfuscationTerms: string[],
+    encryptData: boolean
   ): Promise<string> {
     LOG.info('startDataExport called');
     await UsageDataService.createNewUsageDataEvent(
@@ -59,11 +60,13 @@ export class DataExportService {
       // see https://github.com/WiseLibs/better-sqlite3/blob/master/docs/performance.md
       db.pragma('journal_mode = WAL');
 
-      // see https://github.com/m4heshd/better-sqlite3-multiple-ciphers/issues/5#issuecomment-1008330548
-      db.pragma(`cipher='sqlcipher'`);
-      db.pragma(`legacy=4`);
+      if (encryptData) {
+        // see https://github.com/m4heshd/better-sqlite3-multiple-ciphers/issues/5#issuecomment-1008330548
+        db.pragma(`cipher='sqlcipher'`);
+        db.pragma(`legacy=4`);
 
-      db.pragma(`rekey='PersonalAnalytics_${settings.subjectId}'`);
+        db.pragma(`rekey='PersonalAnalytics_${settings.subjectId}'`);
+      }
 
       if (
         windowActivityExportType === DataExportType.Obfuscate ||