mirror of
https://github.com/apache/superset.git
synced 2024-09-07 06:17:45 -04:00
feat(embedded): enforce allow domains (#20251)
* feat(embedded): enforce allow domains * check referrer in view * remove frontend check
This commit is contained in:
parent
9f74fb7a84
commit
f53018c7c5
@ -17,9 +17,10 @@
|
|||||||
import json
|
import json
|
||||||
from typing import Callable
|
from typing import Callable
|
||||||
|
|
||||||
from flask import abort
|
from flask import abort, request
|
||||||
from flask_appbuilder import expose
|
from flask_appbuilder import expose
|
||||||
from flask_login import AnonymousUserMixin, LoginManager
|
from flask_login import AnonymousUserMixin, LoginManager
|
||||||
|
from flask_wtf.csrf import same_origin
|
||||||
|
|
||||||
from superset import event_logger, is_feature_enabled, security_manager
|
from superset import event_logger, is_feature_enabled, security_manager
|
||||||
from superset.embedded.dao import EmbeddedDAO
|
from superset.embedded.dao import EmbeddedDAO
|
||||||
@ -50,9 +51,20 @@ class EmbeddedView(BaseSupersetView):
|
|||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
embedded = EmbeddedDAO.find_by_id(uuid)
|
embedded = EmbeddedDAO.find_by_id(uuid)
|
||||||
|
|
||||||
if not embedded:
|
if not embedded:
|
||||||
abort(404)
|
abort(404)
|
||||||
|
|
||||||
|
# validate request referrer in allowed domains
|
||||||
|
is_referrer_allowed = not embedded.allowed_domains
|
||||||
|
for domain in embedded.allowed_domains:
|
||||||
|
if same_origin(request.referrer, domain):
|
||||||
|
is_referrer_allowed = True
|
||||||
|
break
|
||||||
|
|
||||||
|
if not is_referrer_allowed:
|
||||||
|
abort(403)
|
||||||
|
|
||||||
# Log in as an anonymous user, just for this view.
|
# Log in as an anonymous user, just for this view.
|
||||||
# This view needs to be visible to all users,
|
# This view needs to be visible to all users,
|
||||||
# and building the page fails if g.user and/or ctx.user aren't present.
|
# and building the page fails if g.user and/or ctx.user aren't present.
|
||||||
|
Loading…
Reference in New Issue
Block a user