* [build] fix pip install issues on OSX High Sierra
I think requirements.txt was out-of-sync as well.
Also had to:
export
LDFLAGS="-L/usr/local/opt/openssl/lib"
export
CPPFLAGS="-I/usr/local/opt/openssl/include"
export
PKG_CONFIG_PATH="/usr/local/opt/openssl/lib/pkgconfig"
* Fix click
* Deprecate support for Python < 3.6
This is a first step, beyond this we can:
* remove all from future imports
* remove 'six' lib as a dependency
* start using f-strings
* enjoy ourselves
* fix tox
* Rebasing
* fix
* Migrate flask_script to the Flask built-in click.
Flask 0.11 is the built-in integration of the click command line interface.
Flask-Migrate support for the new Flask CLI based on Click after Release 2.0.0.
* Resolved merge conflicts.
* Fixed issue introduced from bad merge.
* Fixed flake8 errors, added build to excluded flake8 stuff.
* * Moved the FlaskGroup declaration to the driver script.
* Moved shell context definition to cli.py
* Switched shell context definition to use decorator.
* Moved create_app definition to cli.py
* Fixed InvocationError with a wrapped function
* Added extra newlines between functions
* Removed flask-script dependency.
Moving to using Twine to upload to pypi and fixing up the markdown
support so that the page on Pypi looks like the README on Github.
This has been tested on the 0.26 branch starting 0.26.3
When receiving a VARBINARY field out of Presto, it shows up as type
`bytes` out of the pyhive driver. Then the pre 3.15 version of
simplejson attempts to convert it to utf8 by default and it craps out.
I bumped to simplejson>=3.25.0 and set `encoding=None` as documented
here
https://simplejson.readthedocs.io/en/latest/#basic-usage so that we can
handle bytes on our own.
* Bump celery to 4.1.1
Docs reference `celery worker --app=superset.sql_lab:celery_app
--pool=gevent -Ofair` command which seems only to work with Celery 4.1.1
* Add UPDATING.md message
It appears the officially maintained fork of flask-cache is
flask-caching https://github.com/sh4nks/flask-caching . It is fully
compatible with flask-cache.
* Fix 'pip install .'
Fix error :
> flask-appbuilder 1.10.0 has requirement Flask-SQLAlchemy==2.1,
> but you'll have flask-sqlalchemy 2.3.2 which is incompatible.
> botocore 1.10.5 has requirement python-dateutil<2.7.0,>=2.1, but you'll
> have python-dateutil 2.7.2 which is incompatible.
* remove flask-sqlalchemy==2.1 from reqs.txt
* Switched yaml.load to yaml.safe_load to prevent code execution via crafted yaml files
Python's yaml.laod can lead to code execution via crafted yaml files such as:
```
code_exec: !!python/object/apply:subprocess.check_output ['ls']
```
* Fixed XSS via bleach
It was possible to get an XSS via the markdown library via simply setting a description containing arbitary HTML tags.
It was also possible to create links that went to the `javascript:` link handler (eg `[example](javascript:alert(0)`)
Using bleach to sanitize it solves both of these.
* Added XFO header by default to prevent clickjacking attacks
Note that with this application clickjacking can be relatively severe via the SQLLab functionality
which allows executing arbitary SQL.
* Added justification for dangerouslySetInnerHTML
* Fixed linting errors
* Fixed linting errors