When receiving a VARBINARY field out of Presto, it shows up as type
`bytes` out of the pyhive driver. Then the pre 3.15 version of
simplejson attempts to convert it to utf8 by default and it craps out.
I bumped to simplejson>=3.25.0 and set `encoding=None` as documented
here
https://simplejson.readthedocs.io/en/latest/#basic-usage so that we can
handle bytes on our own.
It appears the officially maintained fork of flask-cache is
flask-caching https://github.com/sh4nks/flask-caching . It is fully
compatible with flask-cache.
* move access permissions methods to security manager
* consolidate all security methods into SupersetSecurityManager
* update security method calls
* update calls from tests
* move get_or_create_main_db to utils
* raise if supersetsecuritymanager is not extended
* rename sm to security_manager
* [Explore] Save url parameters when user save slices
* remove print
(cherry picked from commit bd9ecbe)
* add unit test
(cherry picked from commit 0f350ad)
* wrapping all request params into url_params
(cherry picked from commit 17197c1)
* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
Python's yaml.laod can lead to code execution via crafted yaml files such as:
```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```
* Fixed XSS via bleach
It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.
* Added XFO header by default to prevent clickjacking attacks
Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.
* Added justification for dangerouslySetInnerHTML
* Fixed linting errors
* Fixed linting errors
Funky datatypes in some databases like BLOBs will have the DBAPI return
python types that can't be serialized to JSON out of the box.
Currently, when this happens SQL Lab fails in a bad way with a gigantic
HTML error message.
This allows specifying a pessimistic JSON serializer handler that will
simply show "Unserializable [type]"
* Feature: added datepicker and time granularity options to dashboard filter
* Added option for Druid datasource time filters
* added more checkbox control over dashboard time filters
parse_human_datetime parses date-only strings, e.g. "today", returning the correct date but time set at 9am. This is an internal implementation in parsedatetime. This patch resets to midnight. If time is specified and parsed, it is correctly returned.
* sql_lab.py: compress via utils
* utils.py: added zlib_compress and zlib_compress_to_string
* core.py: converted to use zlib_decompress_to_string; renamed uncompress to decompress in utils.py
* utils_tests.py: added test for compress/decompress
* fixed broken utils test; removed redundant code and empty lines from utils.py
* utils.py: corrected docstrings, removed unnecessary 'else'
* removed yet another superfluous else
