superset-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maximebeauche...@apache.org
Subject [incubator-superset] branch master updated: Fix 4 security vulnerabilities (#4390)
Date Fri, 09 Feb 2018 22:33:31 GMT
This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 4ff17ff  Fix 4 security vulnerabilities (#4390)
4ff17ff is described below

commit 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
Author: David Dworken <ddworken@snapchat.com>
AuthorDate: Fri Feb 9 14:33:29 2018 -0800

    Fix 4 security vulnerabilities (#4390)
    
    * Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
    
    Python's yaml.laod can lead to code execution via crafted yaml files such as:
    
    ```
    code_exec: !!python/object/apply:subprocess.check_output ['ls']
    ```
    
    * Fixed XSS via bleach
    
    It was possible to get an XSS via the markdown library via simply setting a description
containing arbitary HTML tags.
    It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
    Using bleach to sanitize it solves both of these.
    
    * Added XFO header by default to prevent clickjacking attacks
    
    Note that with this application clickjacking can be relatively severe via the SQLLab functionality
    which allows executing arbitary SQL.
    
    * Added justification for dangerouslySetInnerHTML
    
    * Fixed linting errors
    
    * Fixed linting errors
---
 setup.py                                                      |  1 +
 superset/assets/javascripts/dashboard/components/GridCell.jsx |  6 ++++++
 superset/cli.py                                               |  2 +-
 superset/config.py                                            | 10 ++++++----
 superset/utils.py                                             |  8 ++++++++
 5 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/setup.py b/setup.py
index df71d56..393af3b 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ setup(
         'thrift>=0.9.3',
         'thrift-sasl>=0.2.1',
         'unidecode>=0.04.21',
+        'bleach==2.1.2',
     ],
     extras_require={
         'cors': ['Flask-Cors>=2.0.0'],
diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx b/superset/assets/javascripts/dashboard/components/GridCell.jsx
index 4f7213d..2748fcc 100644
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
             annotationQuery={annotationQuery}
           />
         </div>
+        {
+        /* This usage of dangerouslySetInnerHTML is safe since it is being used to render
+           markdown that is sanitized with bleach. See:
+             https://github.com/apache/incubator-superset/pull/4390
+           and
+             https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825
*/}
         <div
           className="slice_description bs-callout bs-callout-default"
           style={isExpanded ? {} : { display: 'none' }}
diff --git a/superset/cli.py b/superset/cli.py
index 89119ef..5c1f608 100755
--- a/superset/cli.py
+++ b/superset/cli.py
@@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False):
             with f.open() as data_stream:
                 dict_import_export_util.import_from_dict(
                     db.session,
-                    yaml.load(data_stream),
+                    yaml.safe_load(data_stream),
                     sync=sync_array)
         except Exception as e:
             logging.error('Error when importing datasources from file %s', f)
diff --git a/superset/config.py b/superset/config.py
index 48c893a..6f3c3af 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -277,10 +277,12 @@ SQL_CELERY_DB_FILE_PATH = os.path.join(DATA_DIR, 'celerydb.sqlite')
 SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite')
 
 # static http headers to be served by your Superset server.
-# The following example prevents iFrame from other domains
-# and "clickjacking" as a result
-# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-HTTP_HEADERS = {}
+# This header prevents iFrames from other domains and
+# "clickjacking" as a result
+HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+# If you need to allow iframes from other domains (and are
+# aware of the risks), you can disable this header:
+# HTTP_HEADERS = {}
 
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
diff --git a/superset/utils.py b/superset/utils.py
index a5058b7..42616e7 100644
--- a/superset/utils.py
+++ b/superset/utils.py
@@ -21,6 +21,7 @@ import sys
 import uuid
 import zlib
 
+import bleach
 import celery
 from dateutil.parser import parse
 from flask import flash, Markup, redirect, render_template, request, url_for
@@ -433,11 +434,18 @@ def error_msg_from_exception(e):
 
 
 def markdown(s, markup_wrap=False):
+    safe_markdown_tags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'b', 'i',
+                          'strong', 'em', 'tt', 'p', 'br', 'span',
+                          'div', 'blockquote', 'code', 'hr', 'ul', 'ol',
+                          'li', 'dd', 'dt', 'img', 'a']
+    safe_markdown_attrs = {'img': ['src', 'alt', 'title'],
+                           'a': ['href', 'alt', 'title']}
     s = md.markdown(s or '', [
         'markdown.extensions.tables',
         'markdown.extensions.fenced_code',
         'markdown.extensions.codehilite',
     ])
+    s = bleach.clean(s, safe_markdown_tags, safe_markdown_attrs)
     if markup_wrap:
         s = Markup(s)
     return s

-- 
To stop receiving notification emails like this one, please contact
maximebeauchemin@apache.org.

Mime
View raw message