You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@superset.apache.org by GitBox <gi...@apache.org> on 2018/02/21 16:31:11 UTC
[GitHub] mistercrunch closed pull request #4400: Allowing config flag to turn off javascript controls
mistercrunch closed pull request #4400: Allowing config flag to turn off javascript controls
URL: https://github.com/apache/incubator-superset/pull/4400
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/superset/assets/javascripts/explore/components/ControlHeader.jsx b/superset/assets/javascripts/explore/components/ControlHeader.jsx
index bc474a6885..ce00a9d769 100644
--- a/superset/assets/javascripts/explore/components/ControlHeader.jsx
+++ b/superset/assets/javascripts/explore/components/ControlHeader.jsx
@@ -14,6 +14,7 @@ const propTypes = {
onClick: PropTypes.func,
hovered: PropTypes.bool,
tooltipOnClick: PropTypes.func,
+ warning: PropTypes.string,
};
const defaultProps = {
@@ -75,6 +76,19 @@ export default class ControlHeader extends React.Component {
{this.props.label}
</span>
{' '}
+ {(this.props.warning) &&
+ <span>
+ <OverlayTrigger
+ placement="top"
+ overlay={
+ <Tooltip id={'error-tooltip'}>{this.props.warning}</Tooltip>
+ }
+ >
+ <i className="fa fa-exclamation-circle text-danger" />
+ </OverlayTrigger>
+ {' '}
+ </span>
+ }
{(this.props.validationErrors.length > 0) &&
<span>
<OverlayTrigger
diff --git a/superset/assets/javascripts/explore/components/controls/TextAreaControl.jsx b/superset/assets/javascripts/explore/components/controls/TextAreaControl.jsx
index 3e968546a5..11c77a2cad 100644
--- a/superset/assets/javascripts/explore/components/controls/TextAreaControl.jsx
+++ b/superset/assets/javascripts/explore/components/controls/TextAreaControl.jsx
@@ -25,6 +25,7 @@ const propTypes = {
offerEditInModal: PropTypes.bool,
language: PropTypes.oneOf([null, 'json', 'html', 'sql', 'markdown', 'javascript']),
aboveEditorSection: PropTypes.node,
+ readOnly: PropTypes.bool,
};
const defaultProps = {
@@ -34,6 +35,7 @@ const defaultProps = {
minLines: 3,
maxLines: 10,
offerEditInModal: true,
+ readOnly: false,
};
export default class TextAreaControl extends React.Component {
@@ -57,6 +59,7 @@ export default class TextAreaControl extends React.Component {
editorProps={{ $blockScrolling: true }}
enableLiveAutocompletion
value={this.props.value}
+ readOnly={this.props.readOnly}
/>
);
}
@@ -67,6 +70,7 @@ export default class TextAreaControl extends React.Component {
placeholder={t('textarea')}
onChange={this.onControlChange.bind(this)}
value={this.props.value}
+ disabled={this.props.readOnly}
style={{ height: this.props.height }}
/>
</FormGroup>);
diff --git a/superset/assets/javascripts/explore/stores/controls.jsx b/superset/assets/javascripts/explore/stores/controls.jsx
index ea0feaa378..561ab65d01 100644
--- a/superset/assets/javascripts/explore/stores/controls.jsx
+++ b/superset/assets/javascripts/explore/stores/controls.jsx
@@ -97,6 +97,11 @@ function jsFunctionControl(label, description, extraDescr = null, height = 100,
{extraDescr}
</div>
),
+ mapStateToProps: state => ({
+ warning: !state.common.conf.ENABLE_JAVASCRIPT_CONTROLS ?
+ t('This functionality is disabled in your environment for security reasons.') : null,
+ readOnly: !state.common.conf.ENABLE_JAVASCRIPT_CONTROLS,
+ }),
};
}
diff --git a/superset/config.py b/superset/config.py
index 1ada471c6a..9e84c466b1 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -370,6 +370,12 @@ class CeleryConfig(object):
# Interval between consecutive polls when using Hive Engine
HIVE_POLL_INTERVAL = 5
+# Allow for javascript controls components
+# this enables programmers to customize certain charts (like the
+# geospatial ones) by inputing javascript in controls. This exposes
+# an XSS security vulnerability
+ENABLE_JAVASCRIPT_CONTROLS = False
+
try:
if CONFIG_PATH_ENV_VAR in os.environ:
# Explicitly import config module that is not in pythonpath; useful
diff --git a/superset/views/base.py b/superset/views/base.py
index a909ed078a..7e0edc476d 100644
--- a/superset/views/base.py
+++ b/superset/views/base.py
@@ -19,7 +19,10 @@
from superset.connectors.sqla.models import SqlaTable
from superset.translations.utils import get_language_pack
-FRONTEND_CONF_KEYS = ('SUPERSET_WEBSERVER_TIMEOUT',)
+FRONTEND_CONF_KEYS = (
+ 'SUPERSET_WEBSERVER_TIMEOUT',
+ 'ENABLE_JAVASCRIPT_CONTROLS',
+)
def get_error_msg():
diff --git a/superset/views/core.py b/superset/views/core.py
index 46e1650682..e5a6bf052f 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -73,6 +73,14 @@
else:
DATASOURCE_ACCESS_ERR = __("You don't have access to this datasource")
+FORM_DATA_KEY_BLACKLIST = []
+if not config.get('ENABLE_JAVASCRIPT_CONTROLS'):
+ FORM_DATA_KEY_BLACKLIST = [
+ 'js_tooltip',
+ 'js_onclick_href',
+ 'js_data_mutator',
+ ]
+
def get_database_access_error_msg(database_name):
return __('This view requires the database %(name)s or '
@@ -948,7 +956,10 @@ def get_form_data(self):
if request.args.get('viz_type'):
# Converting old URLs
- d = cast_form_data(request.args)
+ d = cast_form_data(d)
+
+ d = {k: v for k, v in d.items() if k not in FORM_DATA_KEY_BLACKLIST}
+
return d
def get_viz(
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services