You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by mi...@apache.org on 2019/06/01 01:28:17 UTC

[incubator-superset] 03/13: [security] Adding Flask-Talisman (#7443)

This is an automated email from the ASF dual-hosted git repository.

michellet pushed a commit to branch release--0.33
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git

commit dbaa37f406926e532094e72d69f682e1713a6c2d
Author: John Bodley <45...@users.noreply.github.com>
AuthorDate: Mon May 13 17:08:24 2019 -0700

    [security] Adding Flask-Talisman (#7443)
    
    
    (cherry picked from commit a4392c8fcdb52fa4bc23c0bdeb6903b6e173e530)
---
 requirements.txt       |  4 +++-
 setup.py               |  1 +
 superset/__init__.py   |  3 +++
 superset/config.py     | 10 +++-------
 superset/views/core.py |  2 +-
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 1863a22..3076586 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,6 +4,7 @@
 #
 #    pip-compile --output-file requirements.txt setup.py
 #
+
 alembic==1.0.0            # via flask-migrate
 amqp==2.3.2               # via kombu
 apispec[yaml]==1.2.0      # via flask-appbuilder
@@ -32,6 +33,7 @@ flask-login==0.4.1        # via flask-appbuilder
 flask-migrate==2.1.1
 flask-openid==1.2.5       # via flask-appbuilder
 flask-sqlalchemy==2.3.2   # via flask-appbuilder, flask-migrate
+flask-talisman==0.6.0
 flask-wtf==0.14.2
 flask==1.0.2
 geopy==1.11.0
@@ -70,7 +72,7 @@ requests==2.20.0
 retry==0.9.2
 selenium==3.141.0
 simplejson==3.15.0
-six==1.11.0               # via bleach, cryptography, flask-jwt-extended, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
+six==1.11.0               # via bleach, cryptography, flask-jwt-extended, flask-talisman, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
 sqlalchemy-utils==0.32.21
 sqlalchemy==1.3.1
 sqlparse==0.2.4
diff --git a/setup.py b/setup.py
index b97b49a..b7ec596 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ setup(
         'flask-appbuilder>=2.0.0, <2.3.0',
         'flask-caching',
         'flask-compress',
+        'flask-talisman',
         'flask-migrate',
         'flask-wtf',
         'geopy',
diff --git a/superset/__init__.py b/superset/__init__.py
index c405c01..217d0a5 100644
--- a/superset/__init__.py
+++ b/superset/__init__.py
@@ -27,6 +27,7 @@ from flask_appbuilder import AppBuilder, IndexView, SQLA
 from flask_appbuilder.baseviews import expose
 from flask_compress import Compress
 from flask_migrate import Migrate
+from flask_talisman import Talisman
 from flask_wtf.csrf import CSRFProtect
 from werkzeug.contrib.fixers import ProxyFix
 import wtforms_json
@@ -228,6 +229,8 @@ def is_feature_enabled(feature):
 if conf.get('ENABLE_FLASK_COMPRESS'):
     Compress(app)
 
+Talisman(app, content_security_policy=None)
+
 # Hook that provides administrators a handle on the Flask APP
 # after initialization
 flask_app_mutator = app.config.get('FLASK_APP_MUTATOR')
diff --git a/superset/config.py b/superset/config.py
index 96ccb09..b1052fe 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -403,13 +403,9 @@ CELERY_CONFIG = CeleryConfig
 CELERY_CONFIG = None
 """
 
-# static http headers to be served by your Superset server.
-# This header prevents iFrames from other domains and
-# "clickjacking" as a result
-HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-# If you need to allow iframes from other domains (and are
-# aware of the risks), you can disable this header:
-# HTTP_HEADERS = {}
+# Additional static HTTP headers to be served by your Superset server. Note
+# Flask-Talisman aplies the relevant security HTTP headers.
+HTTP_HEADERS = {}
 
 # The db id here results in selecting this one as a default in SQL Lab
 DEFAULT_DB_ID = None
diff --git a/superset/views/core.py b/superset/views/core.py
index d910923..019d400 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -3006,7 +3006,7 @@ appbuilder.add_separator('Sources')
 
 
 @app.after_request
-def apply_caching(response):
+def apply_http_headers(response):
     """Applies the configuration's http headers to all responses"""
     for k, v in config.get('HTTP_HEADERS').items():
         response.headers[k] = v