Reverted pivottable upgrade to remove XSS vulnerability

[twolfson]

For the past week, we have had some HackerOne researchers attacking our system. On Monday, we discovered an XSS attack that was dormant in our database was running inside of redash. The most simplified example I can give is a PostgreSQL query:

SELECT '<script>alert(1)</script>';

When it's run, we see an alert popup on the page (scary):

After some sleuthing, we found out it came from a pivottable upgrade between v0.8.1-rc and v0.8.1.b1110. During pivottable@1.4.0, they introduced better localization support but moved to HTML methods. We have submitted a PR to resolve this:

nicolaskruchten/pivottable#401

In order to get everyone back to a non-vulnerable state ASAP, we suggest either:

• Downgrading everyone to v0.8.0
• Revert pivottable upgrade (until the PR is landed/released)
  • On average, it's 1 day turnaround but there is a wide distribution with outliers up to 9 months
  • http://issuestats.com/github/nicolaskruchten/pivottable

This PR takes the care of the latter option:

• Reverted commit that introduced pivottable@1.6.3 upgrade and removes new exporters
  • 6cccd30

[arikfr]

Nice catch. Merging.

Once your PR to pivottable gets merged, I'll revert this.

@jbencook FYI.

[nicolaskruchten]

Hi there,

I'm the author/maintainer of PivotTable.js and I sincerely apologize for the oversight in my library's documentation which led to this situation. I'm working on a way forward which should sort this out.

Nicolas

[arikfr]

@nicolaskruchten thank you for your efforts on this, and your work on PivotTable.js in general.

[nicolaskruchten]

You're welcome! I've merged a version of the patch and released v2.0.0 so you guys can upgrade to that version if you feel it meets your security requirements and if the new features since v1.4.0 are worth it :)

[nicolaskruchten]

Just checking in on this and seeing that you're still tracking version 1.1.1 instead of version 2.0.0 ... Anything more I can do upstream to get you guys to upgrade to the latest version? The visualizations are much-improved in 2.0.0 compared to 1.1.1 :)

[arikfr]

@nicolaskruchten somehow I missed this :-( I will upgrade soon. Thanks for your efforts with this!

[arikfr]

@nicolaskruchten finally upgraded to latest (2.0.2) and even improved the support of PivotTable.js in Re:dash -- it's now a regular visualization, that users can save and use as widgets on dashboards.

Thanks again for this great library!

[nicolaskruchten]

That's great! Redash is pretty cool and I'm thinking about ways to integrate it into the product I manage at Datacratic, which is MLDB, the Machine Learning Database. Check it out at http://mldb.ai/ and let me know if you think it would be a good fit for Redash or vice versa :)

[arikfr]

The easiest thing to start with will be to add MLDB as a data source in Re:dash, so your users can use Re:dash as a "frontend" for MLDB.

Your documentation is very good and I can create the needed query runner in ~30 minutes, if you can provide me with a running instance of MLDB I can connect to.