Skip to content

Commit

Permalink
feat: Adds a Content Security Policy (CSP) check for production envir…
Browse files Browse the repository at this point in the history
…onments (#21874)
  • Loading branch information
michael-s-molina committed Oct 20, 2022
1 parent b17ef18 commit f4da74c
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 2 deletions.
22 changes: 22 additions & 0 deletions docs/docs/security.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,28 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role,
will result in users of that role having `client_id=4` AND `client_id=5`
added to their query, which can never be true.

### Content Security Policiy (CSP)

[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added
layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Site Scripting (XSS) and data injection attacks.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can
occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains,
ignoring all other scripts (including inline scripts and event-handling HTML attributes).

A policy is described using a series of policy directives, each of which describes the policy for
a certain resource type or policy area. You can check possible directives
[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).

It's extremely important to correclty configure a Content Security Policy when deploying Superset to
prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py`
where admnistrators can define the policy. When running in production mode, Superset will check for the presence
of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.

### Reporting Security Vulnerabilities

Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its
Expand Down
3 changes: 3 additions & 0 deletions superset/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -1223,6 +1223,9 @@ def EMAIL_HEADER_MUTATOR( # pylint: disable=invalid-name,unused-argument
# one here.
TEST_DATABASE_CONNECTION_TIMEOUT = timedelta(seconds=30)

# Enable/disable CSP warning
CONTENT_SECURITY_POLICY_WARNING = True

# Do you want Talisman enabled?
TALISMAN_ENABLED = False
# If you want Talisman, how do you want it configured??
Expand Down
24 changes: 22 additions & 2 deletions superset/initialization/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -575,8 +575,28 @@ def __call__(
# Flask-Compress
Compress(self.superset_app)

if self.config["TALISMAN_ENABLED"]:
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
show_csp_warning = False
if (
self.config["CONTENT_SECURITY_POLICY_WARNING"]
and not self.superset_app.debug
):
if self.config["TALISMAN_ENABLED"]:
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
if not self.config["TALISMAN_CONFIG"].get("content_security_policy"):
show_csp_warning = True
else:
show_csp_warning = True

if show_csp_warning:
logger.warning(
"We haven't found any Content Security Policy (CSP) defined in "
"the configurations. Please make sure to configure CSP using the "
"TALISMAN_CONFIG key or any other external software. Failing to "
"configure CSP have serious security implications. Check "
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more "
"information. You can disable this warning using the "
"CONTENT_SECURITY_POLICY_WARNING key."
)

def configure_logging(self) -> None:
self.config["LOGGING_CONFIGURATOR"].configure_logging(
Expand Down

0 comments on commit f4da74c

Please sign in to comment.