You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by mi...@apache.org on 2019/06/01 01:28:17 UTC
[incubator-superset] 03/13: [security] Adding Flask-Talisman (#7443)
This is an automated email from the ASF dual-hosted git repository.
michellet pushed a commit to branch release--0.33
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
commit dbaa37f406926e532094e72d69f682e1713a6c2d
Author: John Bodley <45...@users.noreply.github.com>
AuthorDate: Mon May 13 17:08:24 2019 -0700
[security] Adding Flask-Talisman (#7443)
(cherry picked from commit a4392c8fcdb52fa4bc23c0bdeb6903b6e173e530)
---
requirements.txt | 4 +++-
setup.py | 1 +
superset/__init__.py | 3 +++
superset/config.py | 10 +++-------
superset/views/core.py | 2 +-
5 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/requirements.txt b/requirements.txt
index 1863a22..3076586 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,6 +4,7 @@
#
# pip-compile --output-file requirements.txt setup.py
#
+
alembic==1.0.0 # via flask-migrate
amqp==2.3.2 # via kombu
apispec[yaml]==1.2.0 # via flask-appbuilder
@@ -32,6 +33,7 @@ flask-login==0.4.1 # via flask-appbuilder
flask-migrate==2.1.1
flask-openid==1.2.5 # via flask-appbuilder
flask-sqlalchemy==2.3.2 # via flask-appbuilder, flask-migrate
+flask-talisman==0.6.0
flask-wtf==0.14.2
flask==1.0.2
geopy==1.11.0
@@ -70,7 +72,7 @@ requests==2.20.0
retry==0.9.2
selenium==3.141.0
simplejson==3.15.0
-six==1.11.0 # via bleach, cryptography, flask-jwt-extended, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
+six==1.11.0 # via bleach, cryptography, flask-jwt-extended, flask-talisman, isodate, jsonschema, pathlib2, polyline, prison, pydruid, pyrsistent, python-dateutil, sqlalchemy-utils, wtforms-json
sqlalchemy-utils==0.32.21
sqlalchemy==1.3.1
sqlparse==0.2.4
diff --git a/setup.py b/setup.py
index b97b49a..b7ec596 100644
--- a/setup.py
+++ b/setup.py
@@ -80,6 +80,7 @@ setup(
'flask-appbuilder>=2.0.0, <2.3.0',
'flask-caching',
'flask-compress',
+ 'flask-talisman',
'flask-migrate',
'flask-wtf',
'geopy',
diff --git a/superset/__init__.py b/superset/__init__.py
index c405c01..217d0a5 100644
--- a/superset/__init__.py
+++ b/superset/__init__.py
@@ -27,6 +27,7 @@ from flask_appbuilder import AppBuilder, IndexView, SQLA
from flask_appbuilder.baseviews import expose
from flask_compress import Compress
from flask_migrate import Migrate
+from flask_talisman import Talisman
from flask_wtf.csrf import CSRFProtect
from werkzeug.contrib.fixers import ProxyFix
import wtforms_json
@@ -228,6 +229,8 @@ def is_feature_enabled(feature):
if conf.get('ENABLE_FLASK_COMPRESS'):
Compress(app)
+Talisman(app, content_security_policy=None)
+
# Hook that provides administrators a handle on the Flask APP
# after initialization
flask_app_mutator = app.config.get('FLASK_APP_MUTATOR')
diff --git a/superset/config.py b/superset/config.py
index 96ccb09..b1052fe 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -403,13 +403,9 @@ CELERY_CONFIG = CeleryConfig
CELERY_CONFIG = None
"""
-# static http headers to be served by your Superset server.
-# This header prevents iFrames from other domains and
-# "clickjacking" as a result
-HTTP_HEADERS = {'X-Frame-Options': 'SAMEORIGIN'}
-# If you need to allow iframes from other domains (and are
-# aware of the risks), you can disable this header:
-# HTTP_HEADERS = {}
+# Additional static HTTP headers to be served by your Superset server. Note
+# Flask-Talisman aplies the relevant security HTTP headers.
+HTTP_HEADERS = {}
# The db id here results in selecting this one as a default in SQL Lab
DEFAULT_DB_ID = None
diff --git a/superset/views/core.py b/superset/views/core.py
index d910923..019d400 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -3006,7 +3006,7 @@ appbuilder.add_separator('Sources')
@app.after_request
-def apply_caching(response):
+def apply_http_headers(response):
"""Applies the configuration's http headers to all responses"""
for k, v in config.get('HTTP_HEADERS').items():
response.headers[k] = v