Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(dashboard): Prevent XSS attack vector #21822

Merged
merged 1 commit into from
Oct 19, 2022

Conversation

agl-developer
Copy link
Contributor

SUMMARY

Improve security by filtering src attribute value.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A

TESTING INSTRUCTIONS

  1. Create or edit an existing dashboard.
  2. Add a markdown element
  3. Add the following text inside the markdown editor <embed src="javascript:alert('hacked')">.
  4. Click away and the added code will not show up because it did not pass the filter.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Oct 16, 2022

Codecov Report

Merging #21822 (3b66f59) into master (6f2e76b) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #21822   +/-   ##
=======================================
  Coverage   66.89%   66.89%           
=======================================
  Files        1805     1805           
  Lines       69071    69071           
  Branches     7369     7369           
=======================================
  Hits        46208    46208           
  Misses      20956    20956           
  Partials     1907     1907           
Flag Coverage Δ
javascript 53.29% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...s/superset-ui-core/src/components/SafeMarkdown.tsx 66.66% <ø> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

Copy link
Member

@stephenLYZ stephenLYZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for the fix. Also, it looks like the latest version is currently safe by default, which has no dangerouslySetInnerHTML or XSS attacks. It's a good idea to try to upgrade to the latest version in the future.

Copy link
Member

@michael-s-molina michael-s-molina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@michael-s-molina michael-s-molina merged commit ec20c01 into apache:master Oct 19, 2022
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 2.1.0 and removed 🚢 2.1.3 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/XS 🚢 2.1.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants