Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-fcpv-hgq6-87h7
  • Loading branch information
susodapop committed Nov 23, 2021
1 parent ce60d20 commit 61bbb5a
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 31 deletions.
18 changes: 7 additions & 11 deletions redash/query_runner/__init__.py
Expand Up @@ -13,7 +13,8 @@
from redash.utils import json_loads, query_is_select_no_limit, add_limit_to_query
from rq.timeouts import JobTimeoutException

from redash.utils.requests_session import requests, requests_session
from redash.utils.requests_session import requests_or_advocate, requests_session, UnacceptableAddressException


logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -236,12 +237,6 @@ def apply_auto_limit(self, query_text, should_apply_auto_limit):
return query_text


def is_private_address(url):
hostname = urlparse(url).hostname
ip_address = socket.gethostbyname(hostname)
return ipaddress.ip_address(text_type(ip_address)).is_private


class BaseHTTPQueryRunner(BaseQueryRunner):
should_annotate_query = False
response_error = "Endpoint returned unexpected status code"
Expand Down Expand Up @@ -285,8 +280,6 @@ def get_auth(self):
return None

def get_response(self, url, auth=None, http_method="get", **kwargs):
if is_private_address(url) and settings.ENFORCE_PRIVATE_ADDRESS_BLOCK:
raise Exception("Can't query private addresses.")

# Get authentication values if not given
if auth is None:
Expand All @@ -307,12 +300,15 @@ def get_response(self, url, auth=None, http_method="get", **kwargs):
if response.status_code != 200:
error = "{} ({}).".format(self.response_error, response.status_code)

except requests.HTTPError as exc:
except requests_or_advocate.HTTPError as exc:
logger.exception(exc)
error = "Failed to execute query. " "Return Code: {} Reason: {}".format(
response.status_code, response.text
)
except requests.RequestException as exc:
except UnacceptableAddressException as exc:
logger.exception(exc)
error = "Can't query private addresses."
except requests_or_advocate.RequestException as exc:
# Catch all other requests exceptions and return the error.
logger.exception(exc)
error = str(exc)
Expand Down
12 changes: 6 additions & 6 deletions redash/query_runner/csv.py
@@ -1,9 +1,9 @@
import logging
import yaml
import requests
import io

from redash import settings
from redash.utils.requests_session import requests_or_advocate, UnacceptableAddressException

from redash.query_runner import *
from redash.utils import json_dumps

Expand Down Expand Up @@ -52,14 +52,11 @@ def run_query(self, query, user):
args.pop('url', None)
ua = args['user-agent']
args.pop('user-agent', None)

if is_private_address(path) and settings.ENFORCE_PRIVATE_ADDRESS_BLOCK:
raise Exception("Can't query private addresses.")
except:
pass

try:
response = requests.get(url=path, headers={"User-agent": ua})
response = requests_or_advocate.get(url=path, headers={"User-agent": ua})
workbook = pd.read_csv(io.BytesIO(response.content),sep=",", **args)

df = workbook.copy()
Expand Down Expand Up @@ -88,6 +85,9 @@ def run_query(self, query, user):
except KeyboardInterrupt:
error = "Query cancelled by user."
json_data = None
except UnacceptableAddressException:
error = "Can't query private addresses."
json_data = None
except Exception as e:
error = "Error reading {0}. {1}".format(path, str(e))
json_data = None
Expand Down
11 changes: 6 additions & 5 deletions redash/query_runner/excel.py
@@ -1,8 +1,8 @@
import logging
import yaml
import requests

from redash import settings
from redash.utils.requests_session import requests_or_advocate, UnacceptableAddressException

from redash.query_runner import *
from redash.utils import json_dumps

Expand Down Expand Up @@ -49,13 +49,11 @@ def run_query(self, query, user):
ua = args['user-agent']
args.pop('user-agent', None)

if is_private_address(path) and settings.ENFORCE_PRIVATE_ADDRESS_BLOCK:
raise Exception("Can't query private addresses.")
except:
pass

try:
response = requests.get(url=path, headers={"User-agent": ua})
response = requests_or_advocate.get(url=path, headers={"User-agent": ua})
workbook = pd.read_excel(response.content, **args)

df = workbook.copy()
Expand Down Expand Up @@ -84,6 +82,9 @@ def run_query(self, query, user):
except KeyboardInterrupt:
error = "Query cancelled by user."
json_data = None
except UnacceptableAddressException:
error = "Can't query private addresses."
json_data = None
except Exception as e:
error = "Error reading {0}. {1}".format(path, str(e))
json_data = None
Expand Down
7 changes: 3 additions & 4 deletions redash/query_runner/json_ds.py
Expand Up @@ -2,7 +2,9 @@
import yaml
import datetime
from funcy import compact, project
from redash import settings

from redash.utils.requests_session import requests_or_advocate, UnacceptableAddressException

from redash.utils import json_dumps
from redash.query_runner import (
BaseHTTPQueryRunner,
Expand All @@ -12,7 +14,6 @@
TYPE_FLOAT,
TYPE_INTEGER,
TYPE_STRING,
is_private_address,
)


Expand Down Expand Up @@ -163,8 +164,6 @@ def run_query(self, query, user):
if "url" not in query:
raise QueryParseError("Query must include 'url' option.")

if is_private_address(query["url"]) and settings.ENFORCE_PRIVATE_ADDRESS_BLOCK:
raise Exception("Can't query private addresses.")

method = query.get("method", "get")
request_options = project(query, ("params", "headers", "data", "auth", "json"))
Expand Down
10 changes: 8 additions & 2 deletions redash/utils/requests_session.py
@@ -1,8 +1,14 @@
import requests
from redash import settings

from advocate.exceptions import UnacceptableAddressException
if settings.ENFORCE_PRIVATE_ADDRESS_BLOCK:
import advocate as requests_or_advocate
else:
import requests as requests_or_advocate

class ConfiguredSession(requests.Session):


class ConfiguredSession(requests_or_advocate.Session):
def request(self, *args, **kwargs):
if not settings.REQUESTS_ALLOW_REDIRECTS:
kwargs.update({"allow_redirects": False})
Expand Down
1 change: 1 addition & 0 deletions requirements_all_ds.txt
Expand Up @@ -41,3 +41,4 @@ cmem-cmempy==21.2.3
xlrd==2.0.1
openpyxl==3.0.7
firebolt-sqlalchemy
advocate==1.0.0
6 changes: 3 additions & 3 deletions tests/query_runner/test_http.py
@@ -1,7 +1,7 @@
import mock
from unittest import TestCase

from redash.utils.requests_session import requests, ConfiguredSession
from redash.utils.requests_session import requests_or_advocate, ConfiguredSession
from redash.query_runner import BaseHTTPQueryRunner


Expand Down Expand Up @@ -84,7 +84,7 @@ def test_get_response_httperror_exception(self, mock_get):
mock_response = mock.Mock()
mock_response.status_code = 500
mock_response.text = "Server Error"
http_error = requests.HTTPError()
http_error = requests_or_advocate.HTTPError()
mock_response.raise_for_status.side_effect = http_error
mock_get.return_value = mock_response

Expand All @@ -101,7 +101,7 @@ def test_get_response_requests_exception(self, mock_get):
mock_response.status_code = 500
mock_response.text = "Server Error"
exception_message = "Some requests exception"
requests_exception = requests.RequestException(exception_message)
requests_exception = requests_or_advocate.RequestException(exception_message)
mock_response.raise_for_status.side_effect = requests_exception
mock_get.return_value = mock_response

Expand Down

0 comments on commit 61bbb5a

Please sign in to comment.