Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: disallow uuid package on jinja2 #10794

Merged
merged 3 commits into from
Sep 4, 2020

Conversation

dpgaspar
Copy link
Member

@dpgaspar dpgaspar commented Sep 4, 2020

SUMMARY

Disallow the use of the entire uuid python package.

There is a case to be made if we should disallow all packages completely. Checked all the other packages (used dir(datetime) for example) and found nothing relevant.

Safer to remove all packages and just allow "flat" functions, but this would result in a big loss of default functionality, for example on datetime. User's can always reenable these using JINJA_CONTEXT_ADDONS

ADDITIONAL INFORMATION

  • Has associated issue: #10785
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

@dpgaspar dpgaspar marked this pull request as ready for review September 4, 2020 14:36
Copy link
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor typo comment.

UPDATING.md Outdated Show resolved Hide resolved
@villebro villebro changed the title fix: disallow uuid package on jinja2 security: disallow uuid package on jinja2 Sep 4, 2020
Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@codecov-commenter
Copy link

codecov-commenter commented Sep 4, 2020

Codecov Report

Merging #10794 into master will increase coverage by 4.07%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #10794      +/-   ##
==========================================
+ Coverage   61.22%   65.30%   +4.07%     
==========================================
  Files         802      802              
  Lines       37814    37816       +2     
  Branches     3555     3555              
==========================================
+ Hits        23153    24695    +1542     
+ Misses      14475    13012    -1463     
+ Partials      186      109      -77     
Flag Coverage Δ
#cypress 55.36% <ø> (?)
#javascript 61.60% <ø> (ø)
#python 61.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
superset/extensions.py 95.65% <ø> (ø)
...src/components/FilterableTable/FilterableTable.tsx 81.77% <0.00%> (-0.41%) ⬇️
...ontend/src/components/ListView/TableCollection.tsx 100.00% <0.00%> (ø)
superset-frontend/src/SqlLab/actions/sqlLab.js 60.25% <0.00%> (+0.64%) ⬆️
...erset-frontend/src/SqlLab/components/SqlEditor.jsx 52.12% <0.00%> (+1.21%) ⬆️
...ashboard/components/gridComponents/ChartHolder.jsx 79.16% <0.00%> (+1.38%) ⬆️
superset-frontend/src/utils/common.js 68.65% <0.00%> (+1.49%) ⬆️
...perset-frontend/src/components/CopyToClipboard.jsx 36.36% <0.00%> (+1.51%) ⬆️
...rset-frontend/src/explore/components/SaveModal.jsx 92.30% <0.00%> (+1.53%) ⬆️
...hboard/components/resizable/ResizableContainer.jsx 71.87% <0.00%> (+1.56%) ⬆️
... and 155 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5199423...281b6a5. Read the comment docs.

@dpgaspar dpgaspar merged commit f685825 into apache:master Sep 4, 2020
@dpgaspar dpgaspar deleted the fix/disallow-uuid-jinja2 branch September 4, 2020 15:37
villebro added a commit to preset-io/superset that referenced this pull request Sep 4, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 5, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 5, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
amitmiran137 pushed a commit to ofekisr/incubator-superset that referenced this pull request Sep 7, 2020
…boards_permissions

* upstream/master: (32 commits)
  docs: Add a note to contributing.md on reporting security vulnerabilities (apache#10796)
  Fix: Include RLS filters for cache keys (apache#10805)
  feat: filters for database list view (apache#10772)
  fix: MVC show saved query (apache#10781)
  added creator column and adjusted order columns (apache#10789)
  security: disallow uuid package on jinja2 (apache#10794)
  feat: CRUD REST API for saved queries (apache#10777)
  fix: disable domain sharding on explore view (apache#10787)
  fix: can not type `0.05` in `TextControl` (apache#10778)
  fix: pivot table timestamp grouping (apache#10774)
  fix: add validator information to email/slack alerts (apache#10762)
  More Label touchups (margins) (apache#10722)
  fix: dashboard extra filters (apache#10692)
  fix: re-installing local superset in cache image (apache#10766)
  feat: SIP-34 table list view for databases (apache#10705)
  refactor: convert DatasetList schema filter to use new distinct api (apache#10746)
  chore: removing fsevents dependency (apache#10751)
  Fix precommit hook for docs/installation.rst (apache#10759)
  feat(database): POST, PUT, DELETE API endpoints (apache#10741)
  docs: Update OAuth configuration in installation.rst (apache#10748)
  ...
@dpgaspar dpgaspar added the v0.38 label Sep 10, 2020
dpgaspar added a commit to preset-io/superset that referenced this pull request Sep 10, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit to preset-io/superset that referenced this pull request Sep 11, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 11, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
auxten pushed a commit to auxten/incubator-superset that referenced this pull request Nov 20, 2020
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@geido geido added .security and removed security labels Feb 10, 2022
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.38.0 labels Mar 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S v0.37 v0.37.1 v0.38 🍒 0.37.1 🍒 0.37.2 🚢 0.38.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants