[incubator-superset] branch master updated: Add PeopleDoc in organizations list who use superset (#4178)
This is an automated email from the ASF dual-hosted git repository. graceguo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-superset.git The following commit(s) were added to refs/heads/master by this push: new f9106f8 Add PeopleDoc in organizations list who use superset (#4178) f9106f8 is described below commit f9106f80fd20e8b7481ed7f01461fa5c0f08eb62 Author: Rodolphe QuiédevilleAuthorDate: Sat Feb 10 00:11:29 2018 +0100 Add PeopleDoc in organizations list who use superset (#4178) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 62d550b..0f3d12c 100644 --- a/README.md +++ b/README.md @@ -165,6 +165,7 @@ the world know they are using Superset. Join our growing community! - [Konfío](http://konfio.mx) - [Lyft](https://www.lyft.com/) - [Maieutical Labs](https://cloudschooling.it) + - [PeopleDoc](https://www.people-doc.com) - [Ona](https://ona.io) - [Pronto Tools](http://www.prontotools.io) - [Qunar](https://www.qunar.com/) -- To stop receiving notification emails like this one, please contact grace...@apache.org.
[incubator-superset] branch master updated: Fix 4 security vulnerabilities (#4390)
This is an automated email from the ASF dual-hosted git repository. maximebeauchemin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-superset.git The following commit(s) were added to refs/heads/master by this push: new 4ff17ff Fix 4 security vulnerabilities (#4390) 4ff17ff is described below commit 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d Author: David DworkenAuthorDate: Fri Feb 9 14:33:29 2018 -0800 Fix 4 security vulnerabilities (#4390) * Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files Python's yaml.laod can lead to code execution via crafted yaml files such as: ``` code_exec: !!python/object/apply:subprocess.check_output ['ls'] ``` * Fixed XSS via bleach It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags. It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`) Using bleach to sanitize it solves both of these. * Added XFO header by default to prevent clickjacking attacks Note that with this application clickjacking can be relatively severe via the SQLLab functionality which allows executing arbitary SQL. * Added justification for dangerouslySetInnerHTML * Fixed linting errors * Fixed linting errors --- setup.py | 1 + superset/assets/javascripts/dashboard/components/GridCell.jsx | 6 ++ superset/cli.py | 2 +- superset/config.py| 10 ++ superset/utils.py | 8 5 files changed, 22 insertions(+), 5 deletions(-) diff --git a/setup.py b/setup.py index df71d56..393af3b 100644 --- a/setup.py +++ b/setup.py @@ -80,6 +80,7 @@ setup( 'thrift>=0.9.3', 'thrift-sasl>=0.2.1', 'unidecode>=0.04.21', +'bleach==2.1.2', ], extras_require={ 'cors': ['Flask-Cors>=2.0.0'], diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx b/superset/assets/javascripts/dashboard/components/GridCell.jsx index 4f7213d..2748fcc 100644 --- a/superset/assets/javascripts/dashboard/components/GridCell.jsx +++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx @@ -108,6 +108,12 @@ class GridCell extends React.PureComponent { annotationQuery={annotationQuery} /> +{ +/* This usage of dangerouslySetInnerHTML is safe since it is being used to render + markdown that is sanitized with bleach. See: + https://github.com/apache/incubator-superset/pull/4390 + and + https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825 */}
[incubator-superset] branch master updated: Fix markup broken since cache related changes (#4396)
This is an automated email from the ASF dual-hosted git repository. maximebeauchemin pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-superset.git The following commit(s) were added to refs/heads/master by this push: new ae7a9dc Fix markup broken since cache related changes (#4396) ae7a9dc is described below commit ae7a9dc63da4f4190b777e3eb7bca5d5c1a77677 Author: Maxime BeaucheminAuthorDate: Fri Feb 9 15:55:45 2018 -0800 Fix markup broken since cache related changes (#4396) --- superset/viz.py | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/superset/viz.py b/superset/viz.py index 4ab345c..6149b6f 100644 --- a/superset/viz.py +++ b/superset/viz.py @@ -286,9 +286,12 @@ class BaseViz(object): def get_payload(self, query_obj=None): """Returns a payload of metadata and data""" payload = self.get_df_payload(query_obj) -df = payload['df'] -if df is not None: -payload['data'] = self.get_data(df) + +df = payload.get('df') +if df is not None and len(df.index) == 0: +raise Exception('No data') +payload['data'] = self.get_data(df) + del payload['df'] return payload -- To stop receiving notification emails like this one, please contact maximebeauche...@apache.org.