This is an automated email from the ASF dual-hosted git repository. michellet pushed a commit to branch release--0.33 in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
commit dbaa37f406926e532094e72d69f682e1713a6c2d Author: John Bodley <[email protected]> AuthorDate: Mon May 13 17:08:24 2019 -0700 [security] Adding Flask-Talisman (#7443) (cherry picked from commit a4392c8fcdb52fa4bc23c0bdeb6903b6e173e530) --- requirements.txt | 4 +++- setup.py | 1 + superset/__init__.py | 3 +++ superset/config.py | 10 +++------- superset/views/core.py | 2 +- 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/requirements.txt b/requirements.txt index 1863a22..3076586 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,6 +4,7 @@ # # pip-compile --output-file requirements.txt setup.py # + alembic==1.0.0 # via flask-migrate amqp==2.3.2 # via kombu apispec[yaml]==1.2.0 # via flask-appbuilder @@ -32,6 +33,7 @@ flask-login==0.4.1 # via flask-appbuilder flask-migrate==2.1.1 flask-openid==1.2.5 # via flask-appbuilder flask-sqlalchemy==2.3.2 # via flask-appbuilder, flask-migrate +flask-talisman==0.6.0 flask-wtf==0.14.2 flask==1.0.2 geopy==1.11.0 @@ -70,7 +72,7 @@ requests==2.20.0 retry==0.9.2 selenium==3.141.0 simplejson==3.15.0 -six==1.11.0 # via bleach, cryptography, flask-jwt-extended, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json +six==1.11.0 # via bleach, cryptography, flask-jwt-extended, flask-talisman, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json sqlalchemy-utils==0.32.21 sqlalchemy==1.3.1 sqlparse==0.2.4 diff --git a/setup.py b/setup.py index b97b49a..b7ec596 100644 --- a/setup.py +++ b/setup.py @@ -80,6 +80,7 @@ setup( 'flask-appbuilder>=2.0.0, <2.3.0', 'flask-caching', 'flask-compress', + 'flask-talisman', 'flask-migrate', 'flask-wtf', 'geopy', diff --git a/superset/__init__.py b/superset/__init__.py index c405c01..217d0a5 100644 --- a/superset/__init__.py +++ b/superset/__init__.py @@ -27,6 +27,7 @@ from flask_appbuilder import AppBuilder, IndexView, SQLA from flask_appbuilder.baseviews import expose from flask_compress import Compress from flask_migrate import Migrate +from flask_talisman import Talisman from flask_wtf.csrf import CSRFProtect from werkzeug.contrib.fixers import ProxyFix import wtforms_json @@ -228,6 +229,8 @@ def is_feature_enabled(feature): if conf.get('ENABLE_FLASK_COMPRESS'): Compress(app) +Talisman(app, content_security_policy=None) + # Hook that provides administrators a handle on the Flask APP # after initialization flask_app_mutator = app.config.get('FLASK_APP_MUTATOR') diff --git a/superset/config.py b/superset/config.py index 96ccb09..b1052fe 100644 --- a/superset/config.py +++ b/superset/config.py @@ -403,13 +403,9 @@ CELERY_CONFIG = CeleryConfig CELERY_CONFIG = None """ -# static http headers to be served by your Superset server. -# This header prevents iFrames from other domains and -# "clickjacking" as a result -HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'} -# If you need to allow iframes from other domains (and are -# aware of the risks), you can disable this header: -# HTTP_HEADERS = {} +# Additional static HTTP headers to be served by your Superset server. Note +# Flask-Talisman aplies the relevant security HTTP headers. +HTTP_HEADERS = {} # The db id here results in selecting this one as a default in SQL Lab DEFAULT_DB_ID = None diff --git a/superset/views/core.py b/superset/views/core.py index d910923..019d400 100755 --- a/superset/views/core.py +++ b/superset/views/core.py @@ -3006,7 +3006,7 @@ appbuilder.add_separator('Sources') @app.after_request -def apply_caching(response): +def apply_http_headers(response): """Applies the configuration's http headers to all responses""" for k, v in config.get('HTTP_HEADERS').items(): response.headers[k] = v
