[superset] branch master updated: feat: Adds a Content Security Policy (CSP) check for production environments (#21874)

Thu, 20 Oct 2022 04:46:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

michaelsmolina pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new f4da74ce8d feat: Adds a Content Security Policy (CSP) check for 
production environments (#21874)
f4da74ce8d is described below

commit f4da74ce8d6902be1ac3b881fb4a7bc521ec366f
Author: Michael S. Molina <[email protected]>
AuthorDate: Thu Oct 20 08:45:28 2022 -0300

    feat: Adds a Content Security Policy (CSP) check for production 
environments (#21874)
---
 docs/docs/security.mdx              | 22 ++++++++++++++++++++++
 superset/config.py                  |  3 +++
 superset/initialization/__init__.py | 24 ++++++++++++++++++++++--
 3 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/docs/docs/security.mdx b/docs/docs/security.mdx
index 0067f196cb..283e48d9b0 100644
--- a/docs/docs/security.mdx
+++ b/docs/docs/security.mdx
@@ -131,6 +131,28 @@ For example, the filters `client_id=4` and `client_id=5`, 
applied to a role,
 will result in users of that role having `client_id=4` AND `client_id=5`
 added to their query, which can never be true.
 
+### Content Security Policiy (CSP)
+
+[Content Security Policy 
(CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added
+layer of security that helps to detect and mitigate certain types of attacks, 
including
+Cross-Site Scripting (XSS) and data injection attacks.
+
+CSP makes it possible for server administrators to reduce or eliminate the 
vectors by which XSS can
+occur by specifying the domains that the browser should consider to be valid 
sources of executable scripts.
+A CSP compatible browser will then only execute scripts loaded in source files 
received from those allowed domains,
+ignoring all other scripts (including inline scripts and event-handling HTML 
attributes).
+
+A policy is described using a series of policy directives, each of which 
describes the policy for
+a certain resource type or policy area. You can check possible directives
+[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).
+
+It's extremely important to correclty configure a Content Security Policy when 
deploying Superset to
+prevent many types of attacks. For that matter, Superset provides the ` 
TALISMAN_CONFIG` key in `config.py`
+where admnistrators can define the policy. When running in production mode, 
Superset will check for the presence
+of a policy and if it's not able to find one, it will issue a warning with the 
security risks. For environments
+where CSP policies are defined outside of Superset using other software, 
administrators can disable
+the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.
+
 ### Reporting Security Vulnerabilities
 
 Apache Software Foundation takes a rigorous standpoint in annihilating the 
security issues in its
diff --git a/superset/config.py b/superset/config.py
index 64dc3baa12..66130c9cf9 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1223,6 +1223,9 @@ PREFERRED_DATABASES: List[str] = [
 # one here.
 TEST_DATABASE_CONNECTION_TIMEOUT = timedelta(seconds=30)
 
+# Enable/disable CSP warning
+CONTENT_SECURITY_POLICY_WARNING = True
+
 # Do you want Talisman enabled?
 TALISMAN_ENABLED = False
 # If you want Talisman, how do you want it configured??
diff --git a/superset/initialization/__init__.py 
b/superset/initialization/__init__.py
index 598cf94e05..65aaeef26e 100644
--- a/superset/initialization/__init__.py
+++ b/superset/initialization/__init__.py
@@ -575,8 +575,28 @@ class SupersetAppInitializer:  # pylint: 
disable=too-many-public-methods
         # Flask-Compress
         Compress(self.superset_app)
 
-        if self.config["TALISMAN_ENABLED"]:
-            talisman.init_app(self.superset_app, 
**self.config["TALISMAN_CONFIG"])
+        show_csp_warning = False
+        if (
+            self.config["CONTENT_SECURITY_POLICY_WARNING"]
+            and not self.superset_app.debug
+        ):
+            if self.config["TALISMAN_ENABLED"]:
+                talisman.init_app(self.superset_app, 
**self.config["TALISMAN_CONFIG"])
+                if not 
self.config["TALISMAN_CONFIG"].get("content_security_policy"):
+                    show_csp_warning = True
+            else:
+                show_csp_warning = True
+
+        if show_csp_warning:
+            logger.warning(
+                "We haven't found any Content Security Policy (CSP) defined in 
"
+                "the configurations. Please make sure to configure CSP using 
the "
+                "TALISMAN_CONFIG key or any other external software. Failing 
to "
+                "configure CSP have serious security implications. Check "
+                "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for 
more "
+                "information. You can disable this warning using the "
+                "CONTENT_SECURITY_POLICY_WARNING key."
+            )
 
     def configure_logging(self) -> None:
         self.config["LOGGING_CONFIGURATOR"].configure_logging(

Reply via email to