superset-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From grace...@apache.org
Subject [incubator-superset] branch master updated: [feature flag] Enforce csrf protection on explore_json endpoint (#7935)
Date Mon, 29 Jul 2019 23:23:07 GMT
This is an automated email from the ASF dual-hosted git repository.

graceguo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 06d547f  [feature flag] Enforce csrf protection on explore_json endpoint (#7935)
06d547f is described below

commit 06d547fbace346f79dc3d8beb1fa2bfcd9125890
Author: Grace Guo <grace.guo@airbnb.com>
AuthorDate: Mon Jul 29 16:22:47 2019 -0700

    [feature flag] Enforce csrf protection on explore_json endpoint (#7935)
    
    also added a section for featured flags in http://superset.incubator.apache.org/installation.html
---
 docs/installation.rst  | 24 +++++++++++++++++++++++-
 superset/config.py     |  3 ++-
 superset/views/base.py |  8 ++++++++
 superset/views/core.py | 11 +++++++++--
 4 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/docs/installation.rst b/docs/installation.rst
index d82f0f7..68bc5ce 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -667,7 +667,7 @@ DOMAIN SHARDING
 
 Chrome allows up to 6 open connections per domain at a time. When there are more
 than 6 slices in dashboard, a lot of time fetch requests are queued up and wait for
-next available socket. PR (`#5039 <https://github.com/apache/incubator-superset/pull/5039>`)
adds domain sharding to Superset,
+next available socket. `PR 5039 <https://github.com/apache/incubator-superset/pull/5039>`_
adds domain sharding to Superset,
 and this feature will be enabled by configuration only (by default Superset
 doesn't allow cross-domain request).
 
@@ -1161,3 +1161,25 @@ Then we can add this two lines to ``superset_config.py``:
 
   from custom_sso_security_manager import CustomSsoSecurityManager
   CUSTOM_SECURITY_MANAGER = CustomSsoSecurityManager
+
+Feature Flags
+---------------------------
+
+Because of a wide variety of users, Superset has some features that are not enabled by default.
For example, some users have stronger security restrictions, while some others may not. So
Superset allow users to enable or disable some features by config. For feature owners, you
can add optional functionalities in Superset, but will be only affected by a subset of users.
+
+You can enable or disable features with flag from ``superset_config.py``:
+
+.. code-block:: python
+
+     DEFAULT_FEATURE_FLAGS = {
+         'CLIENT_CACHE': False,
+         'ENABLE_EXPLORE_JSON_CSRF_PROTECTION': False
+     }
+
+Here is a list of flags and descriptions:
+
+* ENABLE_EXPLORE_JSON_CSRF_PROTECTION
+
+  * For some security concerns, you may need to enforce CSRF protection on all query request
to explore_json endpoint. In Superset, we use `flask-csrf <https://sjl.bitbucket.io/flask-csrf/>`_
add csrf protection for all POST requests, but this protection doesn't apply to GET method.
+
+  * When ENABLE_EXPLORE_JSON_CSRF_PROTECTION is set to true, your users cannot make GET request
to explore_json. The default value for this feature False (current behavior), explore_json
accepts both GET and POST request. See `PR 7935 <https://github.com/apache/incubator-superset/pull/7935>`_
for more details.
diff --git a/superset/config.py b/superset/config.py
index b676e51..01bc16a 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -204,7 +204,8 @@ LANGUAGES = {
 # will result in combined feature flags of { 'FOO': True, 'BAR': True, 'BAZ': True }
 DEFAULT_FEATURE_FLAGS = {
     # Experimental feature introducing a client (browser) cache
-    "CLIENT_CACHE": False
+    "CLIENT_CACHE": False,
+    "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False,
 }
 
 # A function that receives a dict of all feature flags
diff --git a/superset/views/base.py b/superset/views/base.py
index c82db76..37ba999 100644
--- a/superset/views/base.py
+++ b/superset/views/base.py
@@ -32,6 +32,7 @@ from flask_babel import gettext as __
 from flask_babel import lazy_gettext as _
 from flask_wtf.form import FlaskForm
 import simplejson as json
+from werkzeug.exceptions import HTTPException
 from wtforms.fields.core import Field, UnboundField
 import yaml
 
@@ -134,6 +135,13 @@ def handle_api_exception(f):
                 stacktrace=utils.get_stacktrace(),
                 status=e.status,
             )
+        except HTTPException as e:
+            logging.exception(e)
+            return json_error_response(
+                utils.error_msg_from_exception(e),
+                stacktrace=traceback.format_exc(),
+                status=e.code,
+            )
         except Exception as e:
             logging.exception(e)
             return json_error_response(
diff --git a/superset/views/core.py b/superset/views/core.py
index 558a30c..eaf7891 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -53,6 +53,7 @@ from superset import (
     db,
     event_logger,
     get_feature_flags,
+    is_feature_enabled,
     results_backend,
     security_manager,
     sql_lab,
@@ -1047,12 +1048,18 @@ class Superset(BaseSupersetView):
         payload = viz_obj.get_payload()
         return data_payload_response(*viz_obj.payload_json_and_has_error(payload))
 
+    EXPLORE_JSON_METHODS = ["POST"]
+    if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
+        EXPLORE_JSON_METHODS.append("GET")
+
     @event_logger.log_this
     @api
     @has_access_api
     @handle_api_exception
-    @expose("/explore_json/<datasource_type>/<datasource_id>/", methods=["GET",
"POST"])
-    @expose("/explore_json/", methods=["GET", "POST"])
+    @expose(
+        "/explore_json/<datasource_type>/<datasource_id>/", methods=EXPLORE_JSON_METHODS
+    )
+    @expose("/explore_json/", methods=EXPLORE_JSON_METHODS)
     @etag_cache(CACHE_DEFAULT_TIMEOUT, check_perms=check_datasource_perms)
     def explore_json(self, datasource_type=None, datasource_id=None):
         """Serves all request that GET or POST form_data


Mime
View raw message