Fix 4 security vulnerabilities (#4390)

mirror of https://github.com/apache/superset.git synced 2026-04-19 08:04:53 +00:00

* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files

Python's yaml.laod can lead to code execution via crafted yaml files such as:

```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```

* Fixed XSS via bleach

It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.

* Added XFO header by default to prevent clickjacking attacks

Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.

* Added justification for dangerouslySetInnerHTML

* Fixed linting errors

* Fixed linting errors

This commit is contained in:

David Dworken

2018-02-09 14:33:29 -08:00

committed by

Maxime Beauchemin

parent 1769804ffd

commit 4ff17ffc8d

5 changed files with 22 additions and 5 deletions

									
										1

setup.py
									
												View File
												
				@@ -80,6 +80,7 @@ setup(

				        'thrift>=0.9.3',

				        'thrift-sasl>=0.2.1',

				        'unidecode>=0.04.21',

				        'bleach==2.1.2',

				    ],

				    extras_require={

				        'cors': ['Flask-Cors>=2.0.0'],

Fix 4 security vulnerabilities (#4390)

1 setup.py Unescape Escape View File

1

setup.py

View File