mistercrunch closed pull request #4390: Fix 4 security vulnerabilities URL: https://github.com/apache/incubator-superset/pull/4390
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/setup.py b/setup.py index df71d56212..393af3b5b8 100644 --- a/setup.py +++ b/setup.py @@ -80,6 +80,7 @@ def get_git_sha(): 'thrift>=0.9.3', 'thrift-sasl>=0.2.1', 'unidecode>=0.04.21', + 'bleach==2.1.2', ], extras_require={ 'cors': ['Flask-Cors>=2.0.0'], diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx b/superset/assets/javascripts/dashboard/components/GridCell.jsx index 4f7213d3b0..2748fccd9a 100644 --- a/superset/assets/javascripts/dashboard/components/GridCell.jsx +++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx @@ -108,6 +108,12 @@ class GridCell extends React.PureComponent { annotationQuery={annotationQuery} /> </div> + { + /* This usage of dangerouslySetInnerHTML is safe since it is being used to render + markdown that is sanitized with bleach. See: + https://github.com/apache/incubator-superset/pull/4390 + and + https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825 */} <div className="slice_description bs-callout bs-callout-default" style={isExpanded ? {} : { display: 'none' }} diff --git a/superset/cli.py b/superset/cli.py index 89119efb69..5c1f608130 100755 --- a/superset/cli.py +++ b/superset/cli.py @@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False): with f.open() as data_stream: dict_import_export_util.import_from_dict( db.session, - yaml.load(data_stream), + yaml.safe_load(data_stream), sync=sync_array) except Exception as e: logging.error('Error when importing datasources from file %s', f) diff --git a/superset/config.py b/superset/config.py index 48c893abb2..6f3c3afe93 100644 --- a/superset/config.py +++ b/superset/config.py @@ -277,10 +277,12 @@ class CeleryConfig(object): SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite') # static http headers to be served by your Superset server. -# The following example prevents iFrame from other domains -# and "clickjacking" as a result -# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'} -HTTP_HEADERS = {} +# This header prevents iFrames from other domains and +# "clickjacking" as a result +HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'} +# If you need to allow iframes from other domains (and are +# aware of the risks), you can disable this header: +# HTTP_HEADERS = {} # The db id here results in selecting this one as a default in SQL Lab DEFAULT_DB_ID = None diff --git a/superset/utils.py b/superset/utils.py index a5058b7522..42616e72a2 100644 --- a/superset/utils.py +++ b/superset/utils.py @@ -21,6 +21,7 @@ import uuid import zlib +import bleach import celery from dateutil.parser import parse from flask import flash, Markup, redirect, render_template, request, url_for @@ -433,11 +434,18 @@ def error_msg_from_exception(e): def markdown(s, markup_wrap=False): + safe_markdown_tags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'b', 'i', + 'strong', 'em', 'tt', 'p', 'br', 'span', + 'div', 'blockquote', 'code', 'hr', 'ul', 'ol', + 'li', 'dd', 'dt', 'img', 'a'] + safe_markdown_attrs = {'img': ['src', 'alt', 'title'], + 'a': ['href', 'alt', 'title']} s = md.markdown(s or '', [ 'markdown.extensions.tables', 'markdown.extensions.fenced_code', 'markdown.extensions.codehilite', ]) + s = bleach.clean(s, safe_markdown_tags, safe_markdown_attrs) if markup_wrap: s = Markup(s) return s ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services