Skip to content

security: disallow uuid package on jinja2#10794

Merged
dpgaspar merged 3 commits into
apache:masterfrom
preset-io:fix/disallow-uuid-jinja2
Sep 4, 2020
Merged

security: disallow uuid package on jinja2#10794
dpgaspar merged 3 commits into
apache:masterfrom
preset-io:fix/disallow-uuid-jinja2

Conversation

@dpgaspar
Copy link
Copy Markdown
Member

@dpgaspar dpgaspar commented Sep 4, 2020
edited
Loading

SUMMARY

Disallow the use of the entire uuid python package.

There is a case to be made if we should disallow all packages completely. Checked all the other packages (used dir(datetime) for example) and found nothing relevant.

Safer to remove all packages and just allow "flat" functions, but this would result in a big loss of default functionality, for example on datetime. User's can always reenable these using JINJA_CONTEXT_ADDONS

ADDITIONAL INFORMATION

  • Has associated issue: #10785
  • Changes UI
  • Requires DB Migration.
  • Confirm DB Migration upgrade and downgrade tested.
  • Introduces new feature or API
  • Removes existing feature or API

@dpgaspar dpgaspar marked this pull request as ready for review September 4, 2020 14:36
villebro
villebro approved these changes Sep 4, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@villebro villebro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, minor typo comment.

Comment thread UPDATING.md Outdated
@villebro villebro changed the title fix: disallow uuid package on jinja2 security: disallow uuid package on jinja2 Sep 4, 2020
@dpgaspar @villebro
Update UPDATING.md
281b6a5 
Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Sep 4, 2020
edited
Loading

Codecov Report

Merging #10794 into master will increase coverage by 4.07%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #10794      +/-   ##
==========================================
+ Coverage   61.22%   65.30%   +4.07%     
==========================================
  Files         802      802              
  Lines       37814    37816       +2     
  Branches     3555     3555              
==========================================
+ Hits        23153    24695    +1542     
+ Misses      14475    13012    -1463     
+ Partials      186      109      -77
Flag Coverage Δ
#cypress 55.36% <ø> (?)
#javascript 61.60% <ø> (ø)
#python 61.01% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
superset/extensions.py 95.65% <ø> (ø)
...src/components/FilterableTable/FilterableTable.tsx 81.77% <0.00%> (-0.41%) ⬇️
...ontend/src/components/ListView/TableCollection.tsx 100.00% <0.00%> (ø)
superset-frontend/src/SqlLab/actions/sqlLab.js 60.25% <0.00%> (+0.64%) ⬆️
...erset-frontend/src/SqlLab/components/SqlEditor.jsx 52.12% <0.00%> (+1.21%) ⬆️
...ashboard/components/gridComponents/ChartHolder.jsx 79.16% <0.00%> (+1.38%) ⬆️
superset-frontend/src/utils/common.js 68.65% <0.00%> (+1.49%) ⬆️
...perset-frontend/src/components/CopyToClipboard.jsx 36.36% <0.00%> (+1.51%) ⬆️
...rset-frontend/src/explore/components/SaveModal.jsx 92.30% <0.00%> (+1.53%) ⬆️
...hboard/components/resizable/ResizableContainer.jsx 71.87% <0.00%> (+1.56%) ⬆️
... and 155 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5199423...281b6a5. Read the comment docs.

@dpgaspar dpgaspar merged commit f685825 into apache:master Sep 4, 2020
@dpgaspar dpgaspar deleted the fix/disallow-uuid-jinja2 branch September 4, 2020 15:37
villebro added a commit to preset-io/superset that referenced this pull request Sep 4, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja2 (apache#10794)
d9af51e 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 5, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja1 (#10794)
a72903c 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 5, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja2 (#10794)
4ce3bd1 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
amitmiran137 pushed a commit to ofekisr/incubator-superset that referenced this pull request Sep 7, 2020
Merge remote-tracking branch 'upstream/master' into feat/add_all_dash…
d709758 
…boards_permissions

* upstream/master: (32 commits)
  docs: Add a note to contributing.md on reporting security vulnerabilities (apache#10796)
  Fix: Include RLS filters for cache keys (apache#10805)
  feat: filters for database list view (apache#10772)
  fix: MVC show saved query (apache#10781)
  added creator column and adjusted order columns (apache#10789)
  security: disallow uuid package on jinja2 (apache#10794)
  feat: CRUD REST API for saved queries (apache#10777)
  fix: disable domain sharding on explore view (apache#10787)
  fix: can not type `0.05` in `TextControl` (apache#10778)
  fix: pivot table timestamp grouping (apache#10774)
  fix: add validator information to email/slack alerts (apache#10762)
  More Label touchups (margins) (apache#10722)
  fix: dashboard extra filters (apache#10692)
  fix: re-installing local superset in cache image (apache#10766)
  feat: SIP-34 table list view for databases (apache#10705)
  refactor: convert DatasetList schema filter to use new distinct api (apache#10746)
  chore: removing fsevents dependency (apache#10751)
  Fix precommit hook for docs/installation.rst (apache#10759)
  feat(database): POST, PUT, DELETE API endpoints (apache#10741)
  docs: Update OAuth configuration in installation.rst (apache#10748)
  ...
@dpgaspar dpgaspar added the v0.38 label Sep 10, 2020
dpgaspar added a commit to preset-io/superset that referenced this pull request Sep 10, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja2 (apache#10794)
74bb6f3 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit to preset-io/superset that referenced this pull request Sep 11, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja2 (apache#10794)
e1c883a 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
villebro added a commit that referenced this pull request Sep 11, 2020
@dpgaspar @villebro
security: disallow uuid package on jinja2 (#10794)
c75823b 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
auxten pushed a commit to auxten/incubator-superset that referenced this pull request Nov 20, 2020
@dpgaspar @villebro @auxten
security: disallow uuid package on jinja2 (apache#10794)
eddae0b 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@geido geido added .security and removed security labels Feb 10, 2022
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
@dpgaspar @villebro
security: disallow uuid package on jinja1 (apache#10794)
a4b126c 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
@mistercrunch mistercrunch added 🍒 0.37.1 Cherry-picked to 0.37.1 🍒 0.37.2 Cherry-picked to 0.37.2 labels Mar 12, 2024
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.38.0 First shipped in 0.38.0 labels Mar 12, 2024
qfcwell pushed a commit to qfcwell/superset that referenced this pull request May 12, 2026
@dpgaspar @villebro
security: disallow uuid package on jinja2 (apache#10794)
cfff606 
* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@villebro villebro villebro approved these changes

@willbarrett willbarrett Awaiting requested review from willbarrett

Assignees

No one assigned

Labels

🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S v0.37 v0.37.1 v0.38 🍒 0.37.1 Cherry-picked to 0.37.1 🍒 0.37.2 Cherry-picked to 0.37.2 🚢 0.38.0 First shipped in 0.38.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@dpgaspar @codecov-commenter @villebro @mistercrunch @geido