diff --git a/RESOURCES/FEATURE_FLAGS.md b/RESOURCES/FEATURE_FLAGS.md index c19fac7b06947..69f8f8a5a691d 100644 --- a/RESOURCES/FEATURE_FLAGS.md +++ b/RESOURCES/FEATURE_FLAGS.md @@ -43,6 +43,7 @@ These features are **finished** but currently being tested. They are usable, but - GLOBAL_ASYNC_QUERIES [(docs)](https://github.com/apache/superset/blob/master/CONTRIBUTING.md#async-chart-queries) - OMNIBAR - VERSIONED_EXPORT +- ENABLE_JAVASCRIPT_CONTROLS ## Stable These features flags are **safe for production** and have been tested. diff --git a/UPDATING.md b/UPDATING.md index 2df0b3bdcb329..977a63ac54b16 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -28,6 +28,7 @@ assists people when migrating to a new version. ### Breaking Changes +- [19113](https://github.com/apache/superset/pull/19113): The `ENABLE_JAVASCRIPT_CONTROLS` setting has moved from app config to a feature flag. Any deployments who overrode this setting will now need to override the feature flag from here onward. - [18976](https://github.com/apache/superset/pull/18976): When running the app in debug mode, the app will default to use `SimpleCache` for `FILTER_STATE_CACHE_CONFIG` and `EXPLORE_FORM_DATA_CACHE_CONFIG`. When running in non-debug mode, a cache backend will need to be defined, otherwise the application will fail to start. For installations using Redis or other caching backends, it is recommended to use the same backend for both cache configs. - [17881](https://github.com/apache/superset/pull/17881): Previously simple adhoc filter values on string columns were stripped of enclosing single and double quotes. To fully support literal quotes in filters, both single and double quotes will no longer be removed from filter values. - [17984](https://github.com/apache/superset/pull/17984): Default Flask SECRET_KEY has changed for security reasons. You should always override with your own secret. Set `PREVIOUS_SECRET_KEY` (ex: PREVIOUS_SECRET_KEY = "\2\1thisismyscretkey\1\2\\e\\y\\y\\h") with your previous key and use `superset re-encrypt-secrets` to rotate you current secrets diff --git a/superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts b/superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts index cab4f72741167..8ed617cc3e631 100644 --- a/superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts +++ b/superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts @@ -49,6 +49,7 @@ export enum FeatureFlag { ENABLE_DND_WITH_CLICK_UX = 'ENABLE_DND_WITH_CLICK_UX', FORCE_DATABASE_CONNECTIONS_SSL = 'FORCE_DATABASE_CONNECTIONS_SSL', ENABLE_TEMPLATE_REMOVE_FILTERS = 'ENABLE_TEMPLATE_REMOVE_FILTERS', + ENABLE_JAVASCRIPT_CONTROLS = 'ENABLE_JAVASCRIPT_CONTROLS', DASHBOARD_RBAC = 'DASHBOARD_RBAC', ALERTS_ATTACH_REPORTS = 'ALERTS_ATTACH_REPORTS', ALLOW_FULL_CSV_EXPORT = 'ALLOW_FULL_CSV_EXPORT', diff --git a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utilities/Shared_DeckGL.jsx b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utilities/Shared_DeckGL.jsx index b801338f0c285..f665c118eaccb 100644 --- a/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utilities/Shared_DeckGL.jsx +++ b/superset-frontend/plugins/legacy-preset-chart-deckgl/src/utilities/Shared_DeckGL.jsx @@ -20,7 +20,12 @@ // These are control configurations that are shared ONLY within the DeckGL viz plugin repo. import React from 'react'; -import { t, validateNonEmpty } from '@superset-ui/core'; +import { + FeatureFlag, + isFeatureEnabled, + t, + validateNonEmpty, +} from '@superset-ui/core'; import { D3_FORMAT_OPTIONS, sharedControls } from '@superset-ui/chart-controls'; import { columnChoices, PRIMARY_COLOR } from './controls'; @@ -66,15 +71,12 @@ function jsFunctionControl( {extraDescr} ), - mapStateToProps: state => ({ - // eslint-disable-next-line no-negated-condition - warning: !state.common.conf.ENABLE_JAVASCRIPT_CONTROLS - ? t( - 'This functionality is disabled in your environment for security reasons.', - ) - : null, - readOnly: !state.common.conf.ENABLE_JAVASCRIPT_CONTROLS, - }), + warning: !isFeatureEnabled(FeatureFlag.ENABLE_JAVASCRIPT_CONTROLS) + ? t( + 'This functionality is disabled in your environment for security reasons.', + ) + : null, + readOnly: !isFeatureEnabled(FeatureFlag.ENABLE_JAVASCRIPT_CONTROLS), }; } diff --git a/superset-frontend/spec/fixtures/mockDashboardInfo.js b/superset-frontend/spec/fixtures/mockDashboardInfo.js index 4aaba5a52cfa2..c11ec7f88a35d 100644 --- a/superset-frontend/spec/fixtures/mockDashboardInfo.js +++ b/superset-frontend/spec/fixtures/mockDashboardInfo.js @@ -34,6 +34,6 @@ export default { dash_save_perm: true, common: { flash_messages: [], - conf: { ENABLE_JAVASCRIPT_CONTROLS: false, SUPERSET_WEBSERVER_TIMEOUT: 60 }, + conf: { SUPERSET_WEBSERVER_TIMEOUT: 60 }, }, }; diff --git a/superset/config.py b/superset/config.py index c6f2269b94e61..6579719ea81cc 100644 --- a/superset/config.py +++ b/superset/config.py @@ -374,6 +374,11 @@ def _try_json_readsha(filepath: str, length: int) -> Optional[str]: "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": False, "ENABLE_TEMPLATE_PROCESSING": False, "ENABLE_TEMPLATE_REMOVE_FILTERS": False, + # Allow for javascript controls components + # this enables programmers to customize certain charts (like the + # geospatial ones) by inputing javascript in controls. This exposes + # an XSS security vulnerability + "ENABLE_JAVASCRIPT_CONTROLS": False, "KV_STORE": False, # When this feature is enabled, nested types in Presto will be # expanded into extra columns and/or arrays. This is experimental, @@ -1021,12 +1026,6 @@ def CSV_TO_HIVE_UPLOAD_DIRECTORY_FUNC( # pylint: disable=invalid-name # } ALLOWED_EXTRA_AUTHENTICATIONS: Dict[str, Dict[str, Callable[..., Any]]] = {} -# Allow for javascript controls components -# this enables programmers to customize certain charts (like the -# geospatial ones) by inputing javascript in controls. This exposes -# an XSS security vulnerability -ENABLE_JAVASCRIPT_CONTROLS = False - # The id of a template dashboard that should be copied to every new user DASHBOARD_TEMPLATE_ID = None diff --git a/superset/views/utils.py b/superset/views/utils.py index cac0c4f7465f0..17ec6ea1088c9 100644 --- a/superset/views/utils.py +++ b/superset/views/utils.py @@ -40,7 +40,7 @@ SupersetException, SupersetSecurityException, ) -from superset.extensions import cache_manager, security_manager +from superset.extensions import cache_manager, feature_flag_manager, security_manager from superset.legacy import update_time_range from superset.models.core import Database from superset.models.dashboard import Dashboard @@ -55,7 +55,7 @@ REJECTED_FORM_DATA_KEYS: List[str] = [] -if not app.config["ENABLE_JAVASCRIPT_CONTROLS"]: +if not feature_flag_manager.is_feature_enabled("ENABLE_JAVASCRIPT_CONTROLS"): REJECTED_FORM_DATA_KEYS = ["js_tooltip", "js_onclick_href", "js_data_mutator"]