QT/superset2
1
0
Fork 0
mirror of https://github.com/apache/superset.git synced 2026-04-18 23:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4ff17ffc8de30c3813a81c80cf38d89d9da7a73d
superset2/superset
History
David Dworken 4ff17ffc8d Fix 4 security vulnerabilities (#4390) 
* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files

Python's yaml.laod can lead to code execution via crafted yaml files such as:

```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```

* Fixed XSS via bleach

It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.

* Added XFO header by default to prevent clickjacking attacks

Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.

* Added justification for dangerouslySetInnerHTML

* Fixed linting errors

* Fixed linting errors
2018-02-09 14:33:29 -08:00
..
assets
Fix 4 security vulnerabilities (#4390)
2018-02-09 14:33:29 -08:00
bin
fix unicode issues (#2308 #2282) (#2401)
2017-03-14 09:53:31 -07:00
connectors
Use the query_obj as the basis for the cache key (#4260)
2018-01-28 09:46:13 -08:00
data
Add hour grain to Sqlite (#4333)
2018-02-07 14:07:15 -08:00
db_engines
[flake8] Resolving Q??? errors (#3847)
2017-11-13 21:06:51 -08:00
migrations
[annotations] Fixing migration for annotation layers (#4187)
2018-01-10 08:50:05 -08:00
models
Fix caching issues (#4316)
2018-02-07 14:49:19 -08:00
static
Rremove unused symlinks (#1736)
2016-12-01 19:52:46 -08:00
templates
Always use fluid container for navbar. (#4279)
2018-01-24 08:55:57 -08:00
translations
Hanization (#4126)
2018-01-12 08:11:37 -08:00
views
Add permission checks to save_or_overwrite_slice (#4346)
2018-02-08 16:40:46 -08:00
__init__.py
[FAB] configuring updating of permissions (#4172)
2018-01-08 14:39:18 -08:00
cache_util.py
[flake8] Resolve I??? errors (#3797)
2017-11-07 20:23:40 -08:00
cli.py
Fix 4 security vulnerabilities (#4390)
2018-02-09 14:33:29 -08:00
config.py
Fix 4 security vulnerabilities (#4390)
2018-02-09 14:33:29 -08:00
dataframe.py
Workaround pandas bug in datetimes with time zones (#3910)
2017-11-20 08:33:18 -08:00
db_engine_specs.py
Superset issue #4323 (#4353)
2018-02-07 21:29:31 -08:00
dict_import_export_util.py
Adding YAML Import-Export for Datasources to CLI (#3978)
2017-12-05 11:14:52 -08:00
extract_table_names.py
[flake8] Resolve I??? errors (#3797)
2017-11-07 20:23:40 -08:00
forms.py
Refactor import csv (#4298)
2018-02-03 20:22:06 -08:00
import_util.py
[flake8] Resolve I??? errors (#3797)
2017-11-07 20:23:40 -08:00
jinja_context.py
[flake8] Resolve I??? errors (#3797)
2017-11-07 20:23:40 -08:00
legacy.py
[flake8] Resolving Q??? errors (#3847)
2017-11-13 21:06:51 -08:00
security.py
[cli] permission cleanup on 'superset init' (#4241)
2018-02-03 20:12:45 -08:00
sql_lab.py
[BUGFIX]: Check datatype of results before converting to DataFrame (#4108)
2018-01-23 20:58:06 -08:00
sql_parse.py
[flake8] Resolving Q??? errors (#3847)
2017-11-13 21:06:51 -08:00
stats_logger.py
[flake8] Resolving Q??? errors (#3847)
2017-11-13 21:06:51 -08:00
utils.py
Fix 4 security vulnerabilities (#4390)
2018-02-09 14:33:29 -08:00
viz.py
Minor fixes to sunburst (#4349)
2018-02-09 14:27:22 -08:00