From b501f5f4a2d1a5729a0cc3984b991ceec5cebcda Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Tue, 25 Feb 2020 18:23:39 +0000 Subject: [PATCH 1/3] [api] Fix, don't exempt CSRF on APIs --- superset/views/base_api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/views/base_api.py b/superset/views/base_api.py index 412b5ca9c281..d2df347a2a1b 100644 --- a/superset/views/base_api.py +++ b/superset/views/base_api.py @@ -62,7 +62,7 @@ class BaseSupersetModelRestApi(ModelRestApi): """ Extends FAB's ModelResApi to implement specific superset generic functionality """ - + csrf_exempt = False method_permission_name = { "get_list": "list", "get": "show", From 3b602e30c58232b387d305f9827f8cad4ec3db32 Mon Sep 17 00:00:00 2001 From: Tai Dupree Date: Tue, 25 Feb 2020 11:22:36 -0800 Subject: [PATCH 2/3] adds cookie based CSRF token support --- .../javascripts/utils/parseCookie_spec.ts | 41 +++++++++++++++++++ superset-frontend/src/setup/setupClient.js | 6 ++- superset-frontend/src/utils/parseCookie.ts | 29 +++++++++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 superset-frontend/spec/javascripts/utils/parseCookie_spec.ts create mode 100644 superset-frontend/src/utils/parseCookie.ts diff --git a/superset-frontend/spec/javascripts/utils/parseCookie_spec.ts b/superset-frontend/spec/javascripts/utils/parseCookie_spec.ts new file mode 100644 index 000000000000..1a625ee5f512 --- /dev/null +++ b/superset-frontend/spec/javascripts/utils/parseCookie_spec.ts @@ -0,0 +1,41 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +import parseCookie from 'src/utils/parseCookie'; + +describe('parseCookie', () => { + let cookieVal = ''; + Object.defineProperty(document, 'cookie', { + get: jest.fn().mockImplementation(() => { + return cookieVal; + }), + }); + it('parses cookie strings', () => { + cookieVal = 'val1=foo; val2=bar'; + expect(parseCookie()).toEqual({ val1: 'foo', val2: 'bar' }); + }); + + it('parses empty cookie strings', () => { + cookieVal = ''; + expect(parseCookie()).toEqual({}); + }); + + it('accepts an arg', () => { + expect(parseCookie('val=foo')).toEqual({ val: 'foo' }); + }); +}); diff --git a/superset-frontend/src/setup/setupClient.js b/superset-frontend/src/setup/setupClient.js index 8a34fb623e1d..35e7e75e1444 100644 --- a/superset-frontend/src/setup/setupClient.js +++ b/superset-frontend/src/setup/setupClient.js @@ -18,15 +18,19 @@ */ /* eslint no-console: 0 */ import { SupersetClient } from '@superset-ui/connection'; +import parseCookie from 'src/utils/parseCookie'; export default function setupClient() { const csrfNode = document.querySelector('#csrf_token'); const csrfToken = csrfNode ? csrfNode.value : null; + // when using flask-jwt-extended csrf is set in cookies + const cookieCSRFToken = parseCookie().csrf_access_token || ''; + SupersetClient.configure({ protocol: (window.location && window.location.protocol) || '', host: (window.location && window.location.host) || '', - csrfToken, + csrfToken: csrfToken || cookieCSRFToken, }) .init() .catch(error => { diff --git a/superset-frontend/src/utils/parseCookie.ts b/superset-frontend/src/utils/parseCookie.ts new file mode 100644 index 000000000000..90a4c323c388 --- /dev/null +++ b/superset-frontend/src/utils/parseCookie.ts @@ -0,0 +1,29 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +type CookieMap = { [cookieId: string]: string }; + +export default function parseCookie(cookie = document.cookie): CookieMap { + return Object.fromEntries( + cookie + .split('; ') + .filter(x => x) + .map(x => x.split('=')), + ); +} From a29bcd51f25cd0acda620d26f1c9f3f04268f9d4 Mon Sep 17 00:00:00 2001 From: Tai Dupree Date: Wed, 26 Feb 2020 11:24:45 -0800 Subject: [PATCH 3/3] blacking --- superset/views/base_api.py | 1 + 1 file changed, 1 insertion(+) diff --git a/superset/views/base_api.py b/superset/views/base_api.py index d2df347a2a1b..ea9286ee35dd 100644 --- a/superset/views/base_api.py +++ b/superset/views/base_api.py @@ -62,6 +62,7 @@ class BaseSupersetModelRestApi(ModelRestApi): """ Extends FAB's ModelResApi to implement specific superset generic functionality """ + csrf_exempt = False method_permission_name = { "get_list": "list",