From commits-return-639-archive-asf-public=cust-asf.ponee.io@superset.incubator.apache.org  Fri Feb  9 23:33:34 2018
Return-Path: <commits-return-639-archive-asf-public=cust-asf.ponee.io@superset.incubator.apache.org>
X-Original-To: archive-asf-public@eu.ponee.io
Delivered-To: archive-asf-public@eu.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by mx-eu-01.ponee.io (Postfix) with ESMTP id CFF1D180676
	for <archive-asf-public@eu.ponee.io>; Fri,  9 Feb 2018 23:33:34 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id BF7EB160C3C; Fri,  9 Feb 2018 22:33:34 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id E10EF160C4C
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  9 Feb 2018 23:33:33 +0100 (CET)
Received: (qmail 81935 invoked by uid 500); 9 Feb 2018 22:33:33 -0000
Mailing-List: contact commits-help@superset.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@superset.incubator.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@superset.incubator.apache.org>
List-Post: <mailto:commits@superset.incubator.apache.org>
List-Id: <commits.superset.incubator.apache.org>
Reply-To: dev@superset.incubator.apache.org
Delivered-To: mailing list commits@superset.incubator.apache.org
Received: (qmail 81880 invoked by uid 99); 9 Feb 2018 22:33:33 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Feb 2018 22:33:33 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
	id 0B104824A2; Fri,  9 Feb 2018 22:33:32 +0000 (UTC)
Date: Fri, 09 Feb 2018 22:33:31 +0000
To: "commits@superset.apache.org" <commits@superset.apache.org>
Subject: [incubator-superset] branch master updated: Fix 4 security
 vulnerabilities (#4390)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <151821561188.18660.881509049059401500@gitbox.apache.org>
From: maximebeauchemin@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: incubator-superset
X-Git-Refname: refs/heads/master
X-Git-Reftype: branch
X-Git-Oldrev: 1769804ffd8f8db0b42e0bd6271b52f19e36cff4
X-Git-Newrev: 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
X-Git-Rev: 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated

This is an automated email from the ASF dual-hosted git repository.

maximebeauchemin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 4ff17ff  Fix 4 security vulnerabilities (#4390)
4ff17ff is described below

commit 4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
Author: David Dworken <ddworken@snapchat.com>
AuthorDate: Fri Feb 9 14:33:29 2018 -0800

    Fix 4 security vulnerabilities (#4390)
    
    * Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
    
    Python's yaml.laod can lead to code execution via crafted yaml files such as:
    
    ```
    code_exec: !!python/object/apply:subprocess.check_output ['ls']
    ```
    
    * Fixed XSS via bleach
    
    It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
    It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
    Using bleach to sanitize it solves both of these.
    
    * Added XFO header by default to prevent clickjacking attacks
    
    Note that with this application clickjacking can be relatively severe via the SQLLab functionality
    which allows executing arbitary SQL.
    
    * Added justification for dangerouslySetInnerHTML
    
    * Fixed linting errors
    
    * Fixed linting errors
---
 setup.py                                                      |  1 +
 superset/assets/javascripts/dashboard/components/GridCell.jsx |  6 ++++++
 superset/cli.py                                               |  2 +-
 superset/config.py                                            | 10 ++++++----
 superset/utils.py                                             |  8 ++++++++
 5 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/setup.py b/setup.py
index df71d56..393af3b 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ setup(
         'thrift>=0.9.3',
         'thrift-sasl>=0.2.1',
         'unidecode>=0.04.21',
+        'bleach==2.1.2',
     ],
     extras_require={
         'cors': ['Flask-Cors>=2.0.0'],
diff --git a/superset/assets/javascripts/dashboard/components/GridCell.jsx b/superset/assets/javascripts/dashboard/components/GridCell.jsx
index 4f7213d..2748fcc 100644
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
             annotationQuery={annotationQuery}
           />
         </div>
+        {
+        /* This usage of dangerouslySetInnerHTML is safe since it is being used to render
+           markdown that is sanitized with bleach. See:
+             https://github.com/apache/incubator-superset/pull/4390
+           and
+             https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825 */}
         <div
           className="slice_description bs-callout bs-callout-default"
           style={isExpanded ? {} : { display: 'none' }}
diff --git a/superset/cli.py b/superset/cli.py
index 89119ef..5c1f608 100755
--- a/superset/cli.py
+++ b/superset/cli.py
@@ -221,7 +221,7 @@ def import_datasources(path, sync, recursive=False):
             with f.open() as data_stream:
                 dict_import_export_util.import_from_dict(
                     db.session,
-                    yaml.load(data_stream),
+                    yaml.safe_load(data_stream),
                     sync=sync_array)
         except Exception as e:
             logging.error('Error when importing datasources from file %s', f)
diff --git a/superset/config.py b/superset/config.py
index 48c893a..6f3c3af 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -277,10 +277,12 @@ SQL_CELERY_DB_FILE_PATH = os.path.join(DATA_DIR, 'celerydb.sqlite')
 SQL_CELERY_RESULTS_DB_FILE_PATH = os.path.join(DATA_DIR, 'celery_results.sqlite')
 
 # static http headers to be served by your Superset server.
-# The following example prevents iFrame from other domains
-# and "clickjacking" as a result
-# HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-HTTP_HEADERS = {}
+# This header prevents iFrames from other domains and
+# "clickjacking" as a result
+HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
+# If you need to allow iframes from other domains (and are
+# aware of the risks), you can disable this header:
+# HTTP_HEADERS = {}
 
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
diff --git a/superset/utils.py b/superset/utils.py
index a5058b7..42616e7 100644
--- a/superset/utils.py
+++ b/superset/utils.py
@@ -21,6 +21,7 @@ import sys
 import uuid
 import zlib
 
+import bleach
 import celery
 from dateutil.parser import parse
 from flask import flash, Markup, redirect, render_template, request, url_for
@@ -433,11 +434,18 @@ def error_msg_from_exception(e):
 
 
 def markdown(s, markup_wrap=False):
+    safe_markdown_tags = ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'b', 'i',
+                          'strong', 'em', 'tt', 'p', 'br', 'span',
+                          'div', 'blockquote', 'code', 'hr', 'ul', 'ol',
+                          'li', 'dd', 'dt', 'img', 'a']
+    safe_markdown_attrs = {'img': ['src', 'alt', 'title'],
+                           'a': ['href', 'alt', 'title']}
     s = md.markdown(s or '', [
         'markdown.extensions.tables',
         'markdown.extensions.fenced_code',
         'markdown.extensions.codehilite',
     ])
+    s = bleach.clean(s, safe_markdown_tags, safe_markdown_attrs)
     if markup_wrap:
         s = Markup(s)
     return s

-- 
To stop receiving notification emails like this one, please contact
maximebeauchemin@apache.org.