You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2018/11/12 04:49:42 UTC

[GitHub] MaxCou opened a new issue #6369: Dashboard list source code leaking the entire list of users (through "Owners" filter)

MaxCou opened a new issue #6369: Dashboard list source code leaking the entire list of users (through "Owners" filter)
URL: https://github.com/apache/incubator-superset/issues/6369
 
 
   Make sure these boxes are checked before submitting your issue - thank you!
   
   - [X] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [X] I have reproduced the issue with at least the latest released version of superset.
   - [X] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   
   ### Superset version
   
   0.28.1
   
   ### Expected results
   Source code of the Dashboard list containing the owner of the viewable dashboards only.
   
   ### Actual results
   The source of the dashboard list webpages leaks all users created (because of the filter called "Owners"), regardless of the role assigned to the logged in user. 
   That vulnerability might be exploited by an attacker to extract the list of all users in a multi-tenancy instance of Superset, for example. 
   
   
   ### Steps to reproduce
   Visit any dashboard list webpage, open the "page source" and find the list of all users under the section "new AdminFilters". 
   You can alternatively find that list by selecting the filter "Owners" and clicking on the "select value" field.
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org