Fix 4 security vulnerabilities (#4390)

* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files Python's yaml.laod can lead to code execution via crafted yaml files such as: ``` code_exec: !!python/object/apply:subprocess.check_output ['ls'] ``` * Fixed XSS via bleach It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags. It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`) Using bleach to sanitize it solves both of these. * Added XFO header by default to prevent clickjacking attacks Note that with this application clickjacking can be relatively severe via the SQLLab functionality which allows executing arbitary SQL. * Added justification for dangerouslySetInnerHTML * Fixed linting errors * Fixed linting errors
2026-04-20 16:44:46 +00:00 · 2018-02-09 14:33:29 -08:00
parent 1769804ffd
commit 4ff17ffc8d
5 changed files with 22 additions and 5 deletions
--- a/superset/assets/javascripts/dashboard/components/GridCell.jsx
+++ b/superset/assets/javascripts/dashboard/components/GridCell.jsx
@@ -108,6 +108,12 @@ class GridCell extends React.PureComponent {
            annotationQuery={annotationQuery}
          />
        </div>
+        {
+        /* This usage of dangerouslySetInnerHTML is safe since it is being used to render
+           markdown that is sanitized with bleach. See:
+             https://github.com/apache/incubator-superset/pull/4390
+           and
+             https://github.com/apache/incubator-superset/commit/b6fcc22d5a2cb7a5e92599ed5795a0169385a825 */}
        <div
          className="slice_description bs-callout bs-callout-default"
          style={isExpanded ? {} : { display: 'none' }}