-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: disallow uuid package on jinja2 #10794
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minor typo comment.
Co-authored-by: Ville Brofeldt <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #10794 +/- ##
==========================================
+ Coverage 61.22% 65.30% +4.07%
==========================================
Files 802 802
Lines 37814 37816 +2
Branches 3555 3555
==========================================
+ Hits 23153 24695 +1542
+ Misses 14475 13012 -1463
+ Partials 186 109 -77
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
…boards_permissions * upstream/master: (32 commits) docs: Add a note to contributing.md on reporting security vulnerabilities (apache#10796) Fix: Include RLS filters for cache keys (apache#10805) feat: filters for database list view (apache#10772) fix: MVC show saved query (apache#10781) added creator column and adjusted order columns (apache#10789) security: disallow uuid package on jinja2 (apache#10794) feat: CRUD REST API for saved queries (apache#10777) fix: disable domain sharding on explore view (apache#10787) fix: can not type `0.05` in `TextControl` (apache#10778) fix: pivot table timestamp grouping (apache#10774) fix: add validator information to email/slack alerts (apache#10762) More Label touchups (margins) (apache#10722) fix: dashboard extra filters (apache#10692) fix: re-installing local superset in cache image (apache#10766) feat: SIP-34 table list view for databases (apache#10705) refactor: convert DatasetList schema filter to use new distinct api (apache#10746) chore: removing fsevents dependency (apache#10751) Fix precommit hook for docs/installation.rst (apache#10759) feat(database): POST, PUT, DELETE API endpoints (apache#10741) docs: Update OAuth configuration in installation.rst (apache#10748) ...
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
* fix: disallow uuid package on jinja2 * update UPDATING.md * Update UPDATING.md Co-authored-by: Ville Brofeldt <[email protected]> Co-authored-by: Ville Brofeldt <[email protected]>
SUMMARY
Disallow the use of the entire
uuid
python package.There is a case to be made if we should disallow all packages completely. Checked all the other packages (used
dir(datetime)
for example) and found nothing relevant.Safer to remove all packages and just allow "flat" functions, but this would result in a big loss of default functionality, for example on
datetime
. User's can always reenable these usingJINJA_CONTEXT_ADDONS
ADDITIONAL INFORMATION