[GitHub] [superset] reidab opened a new issue, #22715: Helm chart overrides default WTF_CSRF_EXEMPT_LIST with blank array

[GitBox <gi...@apache.org>]

reidab opened a new issue, #22715:
URL: https://github.com/apache/superset/issues/22715

   The default `config.py` includes a default value for `WTF_CSRF_EXEMPT_LIST` that excludes three endpoints from CSRF protection.
   
   https://github.com/apache/superset/blob/2ccdb72830ffb549c0112442ba0bc7e4219261d4/superset/config.py#L253-L257
   
   The `superset-config` helper in the Helm chart overrides this value to a blank array.
   
   https://github.com/apache/superset/blob/2ccdb72830ffb549c0112442ba0bc7e4219261d4/helm/superset/templates/_helpers.tpl#L89
   
   This causes newly-deployed Superset instances to throw CSRF errors on the `/superset/log` endpoint unless the Helm chart's config file is overridden to restore the default `WTF_CSRF_EXEMPT_LIST` entries.
   
   It seems like all of the `WTF_` related overrides from the Helm chart should be removed to allow the defaults to carry through.
   
   Or perhaps these three values should be excluded from CSRF protection in a more robust way than just by being config defaults? If Superset always needs them to be permitted in order for the endpoints to work, should users even be able to override that behavior?
   
   #### How to reproduce the bug
   
   1. Deploy a new instance of Superset using Helm
   2. Click around the UI a bit
   3. Notice requests to `/superset/log` in the console returning 302 redirect to login and presenting CSRF errors in the logs. 
   
   ### Expected results
   
   The default endpoints are excluded from CSRF protection
   
   ### Actual results
   
   CSRF errors occur on these endpoints.
   
   ```
   2023-01-13 05:29:14,936:INFO:flask_wtf.csrf:The CSRF token is missing.
   Refresh CSRF token error
   Traceback (most recent call last):
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 256, in protect
       validate_csrf(self._get_csrf_token())
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 91, in validate_csrf
       raise ValidationError('The CSRF token is missing.')
   wtforms.validators.ValidationError: The CSRF token is missing.
   
   During handling of the above exception, another exception occurred:
   
   Traceback (most recent call last):
     File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1514, in full_dispatch_request
       rv = self.preprocess_request()
     File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1857, in preprocess_request
       rv = self.ensure_sync(before_func)()
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 224, in csrf_protect
       self.protect()
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 259, in protect
       self._error_response(e.args[0])
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 302, in _error_response
       raise CSRFError(reason)
   flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.
   2023-01-13 05:29:14,936:WARNING:superset.views.base:Refresh CSRF token error
   Traceback (most recent call last):
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 256, in protect
       validate_csrf(self._get_csrf_token())
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 91, in validate_csrf
       raise ValidationError('The CSRF token is missing.')
   wtforms.validators.ValidationError: The CSRF token is missing.
   
   During handling of the above exception, another exception occurred:
   
   Traceback (most recent call last):
     File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1514, in full_dispatch_request
       rv = self.preprocess_request()
     File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1857, in preprocess_request
       rv = self.ensure_sync(before_func)()
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 224, in csrf_protect
       self.protect()
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 259, in protect
       self._error_response(e.args[0])
     File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 302, in _error_response
       raise CSRFError(reason)
   flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is missing.
   10.17.0.1 - thedyrt [13/Jan/2023:05:29:14 +0000] "POST /superset/log/?explode=events HTTP/1.1" 302 220 "https://superset.thedyrt.dev/superset/explore/table/2/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
   ```
   
   ### Environment
   
   (please complete the following information):
   
   - browser type and version: Chrome 109
   - superset version: `2.0.1`
   - python version: `3.8.12`
   - node.js version: `16`
   - any feature flags active: n/a
   
   ### Checklist
   
   Make sure to follow these steps before submitting your issue - thank you!
   
   - [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
   - [x] I have reproduced the issue with at least the latest released version of superset.
   - [x] I have checked the issue tracker for the same issue and I haven't found one similar.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] craig-rueda closed issue #22715: Helm chart overrides default WTF_CSRF_EXEMPT_LIST with blank array

[GitBox <gi...@apache.org>]

craig-rueda closed issue #22715: Helm chart overrides default WTF_CSRF_EXEMPT_LIST with blank array
URL: https://github.com/apache/superset/issues/22715


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] rusackas commented on issue #22715: Helm chart overrides default WTF_CSRF_EXEMPT_LIST with blank array

[GitBox <gi...@apache.org>]

rusackas commented on issue #22715:
URL: https://github.com/apache/superset/issues/22715#issuecomment-1382136620

   Thanks for opening the PR to resolve this!!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org