You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by be...@apache.org on 2023/08/11 16:35:38 UTC

[superset] branch master updated: chore: rate limit requests (#24324)

This is an automated email from the ASF dual-hosted git repository.

beto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git


The following commit(s) were added to refs/heads/master by this push:
     new 4bc46003b5 chore: rate limit requests (#24324)
4bc46003b5 is described below

commit 4bc46003b56e66c1a5af7b5ad50b869187623e7f
Author: Beto Dealmeida <ro...@dealmeida.net>
AuthorDate: Fri Aug 11 09:35:31 2023 -0700

    chore: rate limit requests (#24324)
---
 superset/config.py                              | 14 ++++++++++++++
 superset/dashboards/api.py                      |  2 +-
 superset/models/dashboard.py                    |  3 ++-
 superset/utils/dashboard_import_export.py       |  4 ++--
 superset/views/dashboard/views.py               |  2 +-
 tests/integration_tests/superset_test_config.py |  2 ++
 6 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/superset/config.py b/superset/config.py
index 75fda6eb37..0b70328e0b 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -266,6 +266,20 @@ PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1, "x_prefi
 # Configuration for scheduling queries from SQL Lab.
 SCHEDULED_QUERIES: dict[str, Any] = {}
 
+# FAB Rate limiting: this is a security feature for preventing DDOS attacks. The
+# feature is on by default to make Superset secure by default, but you should
+# fine tune the limits to your needs. You can read more about the different
+# parameters here: https://flask-limiter.readthedocs.io/en/stable/configuration.html
+RATELIMIT_ENABLED = True
+RATELIMIT_APPLICATION = "50 per second"
+AUTH_RATE_LIMITED = True
+AUTH_RATE_LIMIT = "5 per second"
+# A storage location conforming to the scheme in storage-scheme. See the limits
+# library for allowed values: https://limits.readthedocs.io/en/stable/storage.html
+# RATELIMIT_STORAGE_URI = "redis://host:port"
+# A callable that returns the unique identity of the current request.
+# RATELIMIT_REQUEST_IDENTIFIER = flask.Request.endpoint
+
 # ------------------------------
 # GLOBALS FOR APP Builder
 # ------------------------------
diff --git a/superset/dashboards/api.py b/superset/dashboards/api.py
index 1602c8e2f9..b2aa43b0ee 100644
--- a/superset/dashboards/api.py
+++ b/superset/dashboards/api.py
@@ -817,7 +817,7 @@ class DashboardRestApi(BaseSupersetModelRestApi):
             Dashboard.id.in_(requested_ids)
         )
         query = self._base_filters.apply_all(query)
-        ids = [item.id for item in query.all()]
+        ids = {item.id for item in query.all()}
         if not ids:
             return self.response_404()
         export = Dashboard.export_dashboards(ids)
diff --git a/superset/models/dashboard.py b/superset/models/dashboard.py
index 719a6df8e4..f837c76610 100644
--- a/superset/models/dashboard.py
+++ b/superset/models/dashboard.py
@@ -373,7 +373,8 @@ class Dashboard(Model, AuditMixinNullable, ImportExportMixin):
 
     @classmethod
     def export_dashboards(  # pylint: disable=too-many-locals
-        cls, dashboard_ids: list[int]
+        cls,
+        dashboard_ids: set[int],
     ) -> str:
         copied_dashboards = []
         datasource_ids = set()
diff --git a/superset/utils/dashboard_import_export.py b/superset/utils/dashboard_import_export.py
index fc61d0a422..eef8cbe6df 100644
--- a/superset/utils/dashboard_import_export.py
+++ b/superset/utils/dashboard_import_export.py
@@ -27,8 +27,8 @@ def export_dashboards(session: Session) -> str:
     """Returns all dashboards metadata as a json dump"""
     logger.info("Starting export")
     dashboards = session.query(Dashboard)
-    dashboard_ids = []
+    dashboard_ids = set()
     for dashboard in dashboards:
-        dashboard_ids.append(dashboard.id)
+        dashboard_ids.add(dashboard.id)
     data = Dashboard.export_dashboards(dashboard_ids)
     return data
diff --git a/superset/views/dashboard/views.py b/superset/views/dashboard/views.py
index a96d56fc14..ce5e8f1e07 100644
--- a/superset/views/dashboard/views.py
+++ b/superset/views/dashboard/views.py
@@ -78,7 +78,7 @@ class DashboardModelView(
     @expose("/export_dashboards_form")
     def download_dashboards(self) -> FlaskResponse:
         if request.args.get("action") == "go":
-            ids = request.args.getlist("id")
+            ids = set(request.args.getlist("id"))
             return Response(
                 DashboardModel.export_dashboards(ids),
                 headers=generate_download_headers("json"),
diff --git a/tests/integration_tests/superset_test_config.py b/tests/integration_tests/superset_test_config.py
index 77e007a2dd..bcc3146083 100644
--- a/tests/integration_tests/superset_test_config.py
+++ b/tests/integration_tests/superset_test_config.py
@@ -97,6 +97,8 @@ REDIS_CELERY_DB = os.environ.get("REDIS_CELERY_DB", 2)
 REDIS_RESULTS_DB = os.environ.get("REDIS_RESULTS_DB", 3)
 REDIS_CACHE_DB = os.environ.get("REDIS_CACHE_DB", 4)
 
+RATELIMIT_ENABLED = False
+
 
 CACHE_CONFIG = {
     "CACHE_TYPE": "RedisCache",