Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allowing config flag to turn off javascript controls #4400

Merged
merged 4 commits into from
Feb 21, 2018

Conversation

mistercrunch
Copy link
Member

screen shot 2018-02-10 at 5 42 28 pm

Copy link
Member

@betodealmeida betodealmeida left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, one question only: have you considered completely removing the form in this case, instead of having the warning? Can we also disable the Javascript form in this case, so it's read only?

d = cast_form_data(request.args)
d = cast_form_data(d)

for k in FORM_DATA_KEY_BLACKLIST:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: you can do this in a single line

d = {k: v for k, v in d.items() if k not in FORM_DATA_KEY_BLACKLIST}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra points for avoiding the mutation

@mistercrunch
Copy link
Member Author

Since the default is to set the feature off (secure should be the default), I want for the users to see that the feature exists otherwise there's no way for the users to discover that the feature exists.

I looked quickly at the react-ace to see if a disabled prop exists but apparently not, so decided to just have the warning icon instead:
https://github.com/securingsincity/react-ace/blob/master/src/ace.js

@mistercrunch
Copy link
Member Author

Oh looks like there's a readOnly prop I missed on my first pass

@mistercrunch
Copy link
Member Author

@betodealmeida made the fields readOnly

@mistercrunch
Copy link
Member Author

mistercrunch commented Feb 21, 2018

For the record a security expert mentioned in an email:

If you create an iframe in the `none` origin, you could then use the postMessage API to
send it the function definition (as a string) along with the data. It could then eval the function
definition, run it on the data, and then use the postMessage API to send the mutated data
back to the app to be rendered. 

@mistercrunch
Copy link
Member Author

Addressed comments, merging.

@mistercrunch mistercrunch merged commit a373db2 into apache:master Feb 21, 2018
@mistercrunch mistercrunch deleted the turn_off_js_controls branch February 21, 2018 16:31
mistercrunch added a commit that referenced this pull request Feb 22, 2018
* Allowing config flag to turn off javascript controls

* lint

* one line, avoiding mutation

* Setting JS fields as readOnly

(cherry picked from commit a373db2)
michellethomas pushed a commit to michellethomas/panoramix that referenced this pull request May 24, 2018
* Allowing config flag to turn off javascript controls

* lint

* one line, avoiding mutation

* Setting JS fields as readOnly
wenchma pushed a commit to wenchma/incubator-superset that referenced this pull request Nov 16, 2018
* Allowing config flag to turn off javascript controls

* lint

* one line, avoiding mutation

* Setting JS fields as readOnly
@mistercrunch mistercrunch added 🍒 0.23.0 🍒 0.23.1 🍒 0.23.2 🍒 0.23.3 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 0.24.0 labels Feb 27, 2024
cccs-rc pushed a commit to CybercentreCanada/superset that referenced this pull request Mar 6, 2024
* Allowing config flag to turn off javascript controls

* lint

* one line, avoiding mutation

* Setting JS fields as readOnly

(cherry picked from commit a373db2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels v0.23 🍒 0.23.0 🍒 0.23.1 🍒 0.23.2 🍒 0.23.3 🚢 0.24.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants