Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Adds a Content Security Policy (CSP) check for production environments #21874

Merged
merged 3 commits into from
Oct 20, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions docs/docs/security.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,28 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role,
will result in users of that role having `client_id=4` AND `client_id=5`
added to their query, which can never be true.

### Content Security Policiy (CSP)

[Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is an added
layer of security that helps to detect and mitigate certain types of attacks, including
Cross-Site Scripting (XSS) and data injection attacks.

CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can
occur by specifying the domains that the browser should consider to be valid sources of executable scripts.
A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains,
ignoring all other scripts (including inline scripts and event-handling HTML attributes).

A policy is described using a series of policy directives, each of which describes the policy for
a certain resource type or policy area. You can check possible directives
[here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy).

It's extremely important to correclty configure a Content Security Policy when deploying Superset to
prevent many types of attacks. For that matter, Superset provides the ` TALISMAN_CONFIG` key in `config.py`
where admnistrators can define the policy. When running in production mode, Superset will check for the presence
of a policy and if it's not able to find one, it will issue a warning with the security risks. For environments
where CSP policies are defined outside of Superset using other software, administrators can disable
the warning using the `CONTENT_SECURITY_POLICY_WARNING` key in `config.py`.

### Reporting Security Vulnerabilities

Apache Software Foundation takes a rigorous standpoint in annihilating the security issues in its
Expand Down
3 changes: 3 additions & 0 deletions superset/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -1223,6 +1223,9 @@ def EMAIL_HEADER_MUTATOR( # pylint: disable=invalid-name,unused-argument
# one here.
TEST_DATABASE_CONNECTION_TIMEOUT = timedelta(seconds=30)

# Enable/disable CSP warning
CONTENT_SECURITY_POLICY_WARNING = True

# Do you want Talisman enabled?
TALISMAN_ENABLED = False
# If you want Talisman, how do you want it configured??
Expand Down
24 changes: 22 additions & 2 deletions superset/initialization/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -575,8 +575,28 @@ def __call__(
# Flask-Compress
Compress(self.superset_app)

if self.config["TALISMAN_ENABLED"]:
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
show_csp_warning = False
if (
self.config["CONTENT_SECURITY_POLICY_WARNING"]
and not self.superset_app.debug
):
if self.config["TALISMAN_ENABLED"]:
talisman.init_app(self.superset_app, **self.config["TALISMAN_CONFIG"])
if not self.config["TALISMAN_CONFIG"].get("content_security_policy"):
show_csp_warning = True
else:
show_csp_warning = True

if show_csp_warning:
logger.warning(
"We haven't found any Content Security Policy (CSP) defined in "
"the configurations. Please make sure to configure CSP using the "
"TALISMAN_CONFIG key or any other external software. Failing to "
"configure CSP have serious security implications. Check "
"https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP for more "
"information. You can disable this warning using the "
"CONTENT_SECURITY_POLICY_WARNING key."
)

def configure_logging(self) -> None:
self.config["LOGGING_CONFIGURATOR"].configure_logging(
Expand Down