mistercrunch closed pull request #4390: Fix 4 security vulnerabilities
URL: https://github.com/apache/incubator-superset/pull/4390
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/setup.py b/setup.py
index df71d56212..393af3b5b8 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ def get_git_sha():
'thrift>=0.9.3',
'thrift-sasl>=0.2.1',
'unidecode>=0.04.21',
+ 'bleach==2.1.2',
],
extras_require={
'cors': ['Flask-Cors>=2.0.0'],
diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx
b/superset/assets/javascripts/dashboard/components/GridCell.jsx
index 4f7213d3b0..2748fccd9a 100644
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
annotationQuery={annotationQuery}
/>
</div>
+ {
+ /* This usage of dangerouslySetInnerHTML is safe since it is being
used to render
+ markdown that is sanitized with bleach. See:
+ https://github.com/apache/incubator-superset/pull/4390
+ and
+
https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825
*/}
<div
className="slice_description bs-callout bs-callout-default"
style={isExpanded ? {} : { display: 'none' }}
diff --git a/superset/cli.py b/superset/cli.py
index 89119efb69..5c1f608130 100755
--- a/superset/cli.py
+++ b/superset/cli.py
@@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False):
with f.open() as data_stream:
dict_import_export_util.import_from_dict(
db.session,
- yaml.load(data_stream),
+ yaml.safe_load(data_stream),
sync=sync_array)
except Exception as e:
logging.error('Error when importing datasources from file %s', f)
diff --git a/superset/config.py b/superset/config.py
index 48c893abb2..6f3c3afe93 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -277,10 +277,12 @@ class CeleryConfig(object):
SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR,
'celery_results.sqlite')
# static http headers to be served by your Superset server.
-# The following example prevents iFrame from other domains
-# and "clickjacking" as a result
-# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-HTTP_HEADERS = {}
+# This header prevents iFrames from other domains and
+# "clickjacking" as a result
+HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+# If you need to allow iframes from other domains (and are
+# aware of the risks), you can disable this header:
+# HTTP_HEADERS = {}
# The db id here results in selecting this one as a default in SQL Lab
DEFAULT_DB_ID = None
diff --git a/superset/utils.py b/superset/utils.py
index a5058b7522..42616e72a2 100644
--- a/superset/utils.py
+++ b/superset/utils.py
@@ -21,6 +21,7 @@
import uuid
import zlib
+import bleach
import celery
from dateutil.parser import parse
from flask import flash, Markup, redirect, render_template, request, url_for
@@ -433,11 +434,18 @@ def error_msg_from_exception(e):
def markdown(s, markup_wrap=False):
+ safe_markdown_tags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'b', 'i',
+ 'strong', 'em', 'tt', 'p', 'br', 'span',
+ 'div', 'blockquote', 'code', 'hr', 'ul', 'ol',
+ 'li', 'dd', 'dt', 'img', 'a']
+ safe_markdown_attrs = {'img': ['src', 'alt', 'title'],
+ 'a': ['href', 'alt', 'title']}
s = md.markdown(s or '', [
'markdown.extensions.tables',
'markdown.extensions.fenced_code',
'markdown.extensions.codehilite',
])
+ s = bleach.clean(s, safe_markdown_tags, safe_markdown_attrs)
if markup_wrap:
s = Markup(s)
return s
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
