[incubator-superset] branch master updated: Add PeopleDoc in organizations list who use superset (#4178)

[graceguo]

This is an automated email from the ASF dual-hosted git repository.

graceguo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
 new f9106f8  Add PeopleDoc in organizations list who use superset (#4178)
f9106f8 is described below

commit f9106f80fd20e8b7481ed7f01461fa5c0f08eb62
Author: Rodolphe Quiédeville 
AuthorDate: Sat Feb 10 00:11:29 2018 +0100

Add PeopleDoc in organizations list who use superset (#4178)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 62d550b..0f3d12c 100644
--- a/README.md
+++ b/README.md
@@ -165,6 +165,7 @@ the world know they are using Superset. Join our growing 
community!
  - [Konfío](http://konfio.mx)
  - [Lyft](https://www.lyft.com/)
  - [Maieutical Labs](https://cloudschooling.it)
+ - [PeopleDoc](https://www.people-doc.com) 
  - [Ona](https://ona.io)
  - [Pronto Tools](http://www.prontotools.io)
  - [Qunar](https://www.qunar.com/)

-- 
To stop receiving notification emails like this one, please contact
grace...@apache.org.

[incubator-superset] branch master updated: Fix 4 security vulnerabilities (#4390)

[maximebeauchemin]

This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
 new 4ff17ff  Fix 4 security vulnerabilities (#4390)
4ff17ff is described below

commit 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
Author: David Dworken 
AuthorDate: Fri Feb 9 14:33:29 2018 -0800

Fix 4 security vulnerabilities (#4390)

* Switched yaml.load to yaml.safe_load to prevent code execution via 
crafted yaml files

Python's yaml.laod can lead to code execution via crafted yaml files such 
as:

```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```

* Fixed XSS via bleach

It was possible to get an XSS via the markdown library via simply setting a 
description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link 
handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.

* Added XFO header by default to prevent clickjacking attacks

Note that with this application clickjacking can be relatively severe via 
the SQLLab functionality
which allows executing arbitary SQL.

* Added justification for dangerouslySetInnerHTML

* Fixed linting errors

* Fixed linting errors
---
 setup.py  |  1 +
 superset/assets/javascripts/dashboard/components/GridCell.jsx |  6 ++
 superset/cli.py   |  2 +-
 superset/config.py| 10 ++
 superset/utils.py |  8 
 5 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/setup.py b/setup.py
index df71d56..393af3b 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ setup(
 'thrift>=0.9.3',
 'thrift-sasl>=0.2.1',
 'unidecode>=0.04.21',
+'bleach==2.1.2',
 ],
 extras_require={
 'cors': ['Flask-Cors>=2.0.0'],
diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx 
b/superset/assets/javascripts/dashboard/components/GridCell.jsx
index 4f7213d..2748fcc 100644
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
 annotationQuery={annotationQuery}
   />
 
+{
+/* This usage of dangerouslySetInnerHTML is safe since it is being 
used to render
+   markdown that is sanitized with bleach. See:
+ https://github.com/apache/incubator-superset/pull/4390
+   and
+ 
https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825
 */}
 

[incubator-superset] branch master updated: Fix markup broken since cache related changes (#4396)

[maximebeauchemin]

This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
 new ae7a9dc  Fix markup broken since cache related changes (#4396)
ae7a9dc is described below

commit ae7a9dc63da4f4190b777e3eb7bca5d5c1a77677
Author: Maxime Beauchemin 
AuthorDate: Fri Feb 9 15:55:45 2018 -0800

Fix markup broken since cache related changes (#4396)
---
 superset/viz.py | 9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/superset/viz.py b/superset/viz.py
index 4ab345c..6149b6f 100644
--- a/superset/viz.py
+++ b/superset/viz.py
@@ -286,9 +286,12 @@ class BaseViz(object):
 def get_payload(self, query_obj=None):
 """Returns a payload of metadata and data"""
 payload = self.get_df_payload(query_obj)
-df = payload['df']
-if df is not None:
-payload['data'] = self.get_data(df)
+
+df = payload.get('df')
+if df is not None and len(df.index) == 0:
+raise Exception('No data')
+payload['data'] = self.get_data(df)
+
 del payload['df']
 return payload
 

-- 
To stop receiving notification emails like this one, please contact
maximebeauche...@apache.org.