Use json for imports and exports, not pickle #4243
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timifasubaa
force-pushed
the
export_json_not_pickle
branch
4 times, most recently
from
85c6190
to
2f7e195
Compare
timifasubaa
commented
Jan 19, 2018
superset/views/core.py
Outdated
| @@ -1919,7 +1945,7 @@ def dashboard(self, dashboard_id): | |||
| else: | |||
| qry = qry.filter_by(slug=dashboard_id) | |||
|
|
|||
| dash = qry.one() | |||
| dash = qry.first()#one() | |||
There was a problem hiding this comment.
Importing a new dashboard from an existing dashboard leaves the slug value the same and when .one() has more than one result, it errors out.
Would it be better to avoid importing dashboards with the same slug or to add a random new slug or just return the first slug?
timifasubaa
changed the title
timifasubaa
force-pushed
the
export_json_not_pickle
branch
6 times, most recently
from
196915d
to
d85aead
Compare
timifasubaa
changed the title
timifasubaa
force-pushed
the
export_json_not_pickle
branch
from
d85aead
to
2a16808
Compare
timifasubaa
force-pushed
the
export_json_not_pickle
branch
11 times, most recently
from
acedfe1
to
1c8eee2
Compare
timifasubaa
force-pushed
the
export_json_not_pickle
branch
from
1c8eee2
to
48a79e1
Compare
john-bodley
reviewed
Jan 23, 2018
| @@ -240,6 +241,55 @@ def dttm_from_timtuple(d): | |||
| d.tm_year, d.tm_mon, d.tm_mday, d.tm_hour, d.tm_min, d.tm_sec) | |||
|
|
|||
|
|
|||
| def decode_dashboards(o): | |||
There was a problem hiding this comment.
Do you think using jsonpickle with custom handlers for encoding/decoding would be more pythonic?
There was a problem hiding this comment.
I agree it would be more pythonic but as it turns out, jsonpickle is also susceptible to the RCE attack.
|
PING |
|
this looks good to me |
|
💯 |
john-bodley
pushed a commit
to airbnb/superset-fork
that referenced
this pull request
Jan 24, 2018
* make superset imports and exports use json, not pickle * fix tests
mistercrunch
added a commit
that referenced
this pull request
Jan 27, 2018
This reverts commit 2c72a7a.
michellethomas
pushed a commit
to michellethomas/panoramix
that referenced
this pull request
May 24, 2018
* make superset imports and exports use json, not pickle * fix tests
|
Note this is CVE-2018-8021 |
wenchma
pushed a commit
to wenchma/incubator-superset
that referenced
this pull request
Nov 16, 2018
* make superset imports and exports use json, not pickle * fix tests
mistercrunch
added
🏷️ bot
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Importing and exporting dashboards with pickle files, which the user controls poses a security vulnerability. A well constructed pickle file can potentially spawn a shell.
The exploit is fleshed out here (https://blog.nelhage.com/2011/03/exploiting-pickle/)
This PR changes the format of the exported and imported files to json strings and eliminates this possibility.
@mistercrunch @john-bodley @michellethomas