fix: remove unsafe-eval CSP (ENG-3437) #56
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Wayne Witzel III <[email protected]>
Signed-off-by: Wayne Witzel III <[email protected]>
Makes the JWT support more flexible by allowing the claim which contains the user info configurable, rather than being hard-coded to `email`.
Add support for sending failed authentication to an external URL when using JWT.
Now that the JWT token includes the stacklet permissions, we can add or remove the Redash admin group based on whether the user is an admin (has `system: write` permission) in Stacklet.
Surface invalid token errors to user instead of treating them the same as "not logged in". Part of: [PLATFORM-2679][] [PLATFORM-2679]: https://stacklet.atlassian.net/browse/PLATFORM-2679
Depending on the identity provider's configuration, the email address (identity) might be present in several different fields. Add logic to be more forgiving of where it is collected from. Fixes [PLATFORM-2688](https://stacklet.atlassian.net/browse/PLATFORM-2688)
In PR #31, invalid token errors were changed to surface rather than be ignored. However, since expired tokens weren't handled separately, they were inadvertently included and surfaced as errors when that specific case of "invalid" should actually just be treated as unauthorized (i.e., ignored) and redirected to the Console to be replaced / updated.
Add Segment tracking code to get analytics data for Redash usage. Fixes: [PLATFORM-2626](https://stacklet.atlassian.net/browse/PLATFORM-2626)
Not sure how we haven't hit this before, but it appears that having a query with a schedule value detailed enough to include a time component rather than just a weekday triggers a bug in the moment date library which blows up the Redash UI. This works around it to avoid that error. Fixes: [ENG-859](https://stacklet.atlassian.net/browse/ENG-859)
* chore: change styling to match stacklet (ENG-966) Adjust colors and logos / icons to match Stacklet branding. Fixes: [ENG-966](https://stacklet.atlassian.net/browse/ENG-966) * Fix navbar bg color
* Handle unsupported data source schema refreshes as skips * Check and log missing periodic jobs
PR #42 added the check for expected periodic jobs to the worker health check, but that doesn't actually help because it restarts the worker process rather than the scheduler process. This creates a health check for the scheduler and moves the periodic jobs check to that. Fixes: [ENG-2154](https://stacklet.atlassian.net/browse/ENG-2154)
Sometimes the task for the existing scheduler takes a bit of time to terminate / cleanup, which can leave the scheduler not running. This adds additional retries and some waiting to give it time to take over as the active scheduler.
…5) (#45) * feat: add db_role to user model (ENG-2473) Part of the Row Level Security (RLS) changes. * Fix is_db_empty check not accounting for schema prefix * Fix DB upgrades not being run * Add db_role to QueryResults as well (ENG-2475)
Add the row-level security policy to prevent users from seeing query results that they should not.
…8) (#47) If the current user has a `db_role`, they should only see query results that they have generated, so that they don't see results which contain info about resources they don't have permission to view.
* feat: use per-user db role for query exec (ENG-2474) Login with per-user PG database role, if available, to ensure that RLS policies are applied to user queries. * Reject login from unknown SSO users * Use pre-filtered query for QueryResults rather than session-level `set role` * Add docstring with non-obvious context
* chore: RIOT double-install cleanup (ENG-2706) Remove duplicate superuser and bulitin groups. * make sure we have exactly one org and user * make sure we no-op in non-riot deployments
* chore(deps): upgrade dompurify (security), axios-auth-refresh - upgrade to latest dompurify on 2.x branch (2.4.7) - upgrade axios-auth-refresh as axios dep version no longer on registry * Update lockfile to fix build error --------- Co-authored-by: Cory Johns <[email protected]>
Public dashboard URLs use the `ApiUser` class rather than `User` which doesn't have the `db_role` attribute. We handle this in most places, but a couple got missed. This prevents public dashboards from properly refreshing their data. Part of: [ENG-3212](https://stacklet.atlassian.net/browse/ENG-3212)
This reverts commit 39cdd33.
squidsoup
reviewed
May 29, 2024
| # for more information. E.g.: | ||
| CONTENT_SECURITY_POLICY = os.environ.get( | ||
| "REDASH_CONTENT_SECURITY_POLICY", | ||
| "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval' *.segment.com *.segment.io *.hotjar.com *.hotjar.io; connect-src 'self' *.segment.com *.segment.io *.hotjar.com *.hotjar.io wss://*.hotjar.com wss://*.hotjar.io; font-src 'self' data:; img-src 'self' http: https: data: blob:; object-src 'none'; frame-ancestors 'none'; frame-src redash.io *.segment.com *.segment.io *.hotjar.com *.hotjar.io;", |
There was a problem hiding this comment.
I believe this is the only change needed to satisfy the resolution of the pentest finding as it only mentions the header, not any calls to eval within redash - we shouldn't need to touch any of the redash libraries. I don't see any indication in the segment or hotjar docs that unsafe-eval is required.
a2e3050 to
9fe384f
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As discussed in bug, it looks like this may only be necessary for dev mode.