mistercrunch closed pull request #4390: Fix 4 security vulnerabilities
URL: https://github.com/apache/incubator-superset/pull/4390

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/setup.py b/setup.py
index df71d56212..393af3b5b8 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ def get_git_sha():
+        'bleach==2.1.2',
         'cors': ['Flask-Cors>=2.0.0'],
diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx 
index 4f7213d3b0..2748fccd9a 100644
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
+        {
+        /* This usage of dangerouslySetInnerHTML is safe since it is being 
used to render
+           markdown that is sanitized with bleach. See:
+             https://github.com/apache/incubator-superset/pull/4390
+           and
           className="slice_description bs-callout bs-callout-default"
           style={isExpanded ? {} : { display: 'none' }}
diff --git a/superset/cli.py b/superset/cli.py
index 89119efb69..5c1f608130 100755
--- a/superset/cli.py
+++ b/superset/cli.py
@@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False):
             with f.open() as data_stream:
-                    yaml.load(data_stream),
+                    yaml.safe_load(data_stream),
         except Exception as e:
             logging.error('Error when importing datasources from file %s', f)
diff --git a/superset/config.py b/superset/config.py
index 48c893abb2..6f3c3afe93 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -277,10 +277,12 @@ class CeleryConfig(object):
 # static http headers to be served by your Superset server.
-# The following example prevents iFrame from other domains
-# and "clickjacking" as a result
-# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+# This header prevents iFrames from other domains and
+# "clickjacking" as a result
+HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+# If you need to allow iframes from other domains (and are
+# aware of the risks), you can disable this header:
 # The db id here results in selecting this one as a default in SQL Lab
diff --git a/superset/utils.py b/superset/utils.py
index a5058b7522..42616e72a2 100644
--- a/superset/utils.py
+++ b/superset/utils.py
@@ -21,6 +21,7 @@
 import uuid
 import zlib
+import bleach
 import celery
 from dateutil.parser import parse
 from flask import flash, Markup, redirect, render_template, request, url_for
@@ -433,11 +434,18 @@ def error_msg_from_exception(e):
 def markdown(s, markup_wrap=False):
+    safe_markdown_tags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'b', 'i',
+                          'strong', 'em', 'tt', 'p', 'br', 'span',
+                          'div', 'blockquote', 'code', 'hr', 'ul', 'ol',
+                          'li', 'dd', 'dt', 'img', 'a']
+    safe_markdown_attrs = {'img': ['src', 'alt', 'title'],
+                           'a': ['href', 'alt', 'title']}
     s = md.markdown(s or '', [
+    s = bleach.clean(s, safe_markdown_tags, safe_markdown_attrs)
     if markup_wrap:
         s = Markup(s)
     return s


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

Reply via email to