New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reverted pivottable upgrade to remove XSS vulnerability #637
Reverted pivottable upgrade to remove XSS vulnerability #637
Conversation
Nice catch. Merging. Once your PR to pivottable gets merged, I'll revert this. @jbencook FYI. |
Reverted pivottable upgrade to remove XSS vulnerability
Hi there, I'm the author/maintainer of PivotTable.js and I sincerely apologize for the oversight in my library's documentation which led to this situation. I'm working on a way forward which should sort this out. Nicolas |
@nicolaskruchten thank you for your efforts on this, and your work on PivotTable.js in general. |
You're welcome! I've merged a version of the patch and released v2.0.0 so you guys can upgrade to that version if you feel it meets your security requirements and if the new features since v1.4.0 are worth it :) |
Just checking in on this and seeing that you're still tracking version 1.1.1 instead of version 2.0.0 ... Anything more I can do upstream to get you guys to upgrade to the latest version? The visualizations are much-improved in 2.0.0 compared to 1.1.1 :) |
@nicolaskruchten somehow I missed this :-( I will upgrade soon. Thanks for your efforts with this! |
@nicolaskruchten finally upgraded to latest (2.0.2) and even improved the support of PivotTable.js in Re:dash -- it's now a regular visualization, that users can save and use as widgets on dashboards. Thanks again for this great library! |
That's great! Redash is pretty cool and I'm thinking about ways to integrate it into the product I manage at Datacratic, which is MLDB, the Machine Learning Database. Check it out at http://mldb.ai/ and let me know if you think it would be a good fit for Redash or vice versa :) |
The easiest thing to start with will be to add MLDB as a data source in Re:dash, so your users can use Re:dash as a "frontend" for MLDB. Your documentation is very good and I can create the needed query runner in ~30 minutes, if you can provide me with a running instance of MLDB I can connect to. |
For the past week, we have had some HackerOne researchers attacking our system. On Monday, we discovered an XSS attack that was dormant in our database was running inside of
redash
. The most simplified example I can give is a PostgreSQL query:When it's run, we see an
alert
popup on the page (scary):After some sleuthing, we found out it came from a
pivottable
upgrade betweenv0.8.1-rc
andv0.8.1.b1110
. Duringpivottable@1.4.0
, they introduced better localization support but moved to HTML methods. We have submitted a PR to resolve this:nicolaskruchten/pivottable#401
In order to get everyone back to a non-vulnerable state ASAP, we suggest either:
v0.8.0
pivottable
upgrade (until the PR is landed/released)This PR takes the care of the latter option:
pivottable@1.6.3
upgrade and removes new exporters