From d84637ff7586469e63072bf9a129a025660a52df Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Wed, 31 May 2023 14:41:19 +0100 Subject: [PATCH 1/3] fix: enable strong session protection by default --- superset/config.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/superset/config.py b/superset/config.py index dc63146ca86e6..7d9359d14fb0f 100644 --- a/superset/config.py +++ b/superset/config.py @@ -1387,6 +1387,8 @@ def EMAIL_HEADER_MUTATOR( # pylint: disable=invalid-name,unused-argument SESSION_COOKIE_HTTPONLY = True # Prevent cookie from being read by frontend JS? SESSION_COOKIE_SECURE = False # Prevent cookie from being transmitted over non-tls? SESSION_COOKIE_SAMESITE: Optional[Literal["None", "Lax", "Strict"]] = "Lax" +# Accepts None, "basic" and "strong", more details on: https://flask-login.readthedocs.io/en/latest/#session-protection +SESSION_PROTECTION = "strong" # Cache static resources. SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds()) From 7ae54f8072cac2a940343989f7f3f670b543d210 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Wed, 31 May 2023 16:19:11 +0100 Subject: [PATCH 2/3] add docs --- docs/docs/security.mdx | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/docs/security.mdx b/docs/docs/security.mdx index e6a71c1ac682b..efa77ce406f4d 100644 --- a/docs/docs/security.mdx +++ b/docs/docs/security.mdx @@ -133,6 +133,35 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role, will result in users of that role having `client_id=4` AND `client_id=5` added to their query, which can never be true. +### User Sessions + +Superset uses [Flask](https://pypi.org/project/Flask/) +and [Flask-Login](https://pypi.org/project/Flask-Login/) for user session management. + +Session cookies are used to maintain session info and user state between requests, +although they do not contain personal user information they serve the purpose of identifying +a user session on the server side. +The session cookie is encrypted with the application `SECRET_KEY` and cannot be read by the client. +So it's very important to keep the `SECRET_KEY` secret and set to a secure unique complex random value. + +Flask and Flask-Login offer a number of configuration options to control session behavior. + +- Relevant Flask settings: + +`SESSION_COOKIE_HTTPONLY`: (default: `False`): Controls if cookies should be set with the `HttpOnly` flag. + +`SESSION_COOKIE_SECURE`: (default: `False`) Browsers will only send cookies with requests over +HTTPS if the cookie is marked “secure”. The application must be served over HTTPS for this to make sense. + +`SESSION_COOKIE_SAMESITE`: (default: "Lax") Prevents the browser from sending this cookie along with cross-site requests. + +`PERMANENT_SESSION_LIFETIME`: (default: "31 days") The lifetime of a permanent session as a `datetime.timedelta` object. + +- Relevant Flask-Login settings: + +`SESSION_PROTECTION`: The method used to protect the session from being stolen. [Documentation](https://flask-login.readthedocs.io/en/latest/#session-protection) +Default: "strong" + ### Content Security Policy (CSP) Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a From 93367ef3d26c192ceb5ca75db4f199e58a5153be Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Thu, 1 Jun 2023 08:51:15 +0100 Subject: [PATCH 3/3] updated updating --- UPDATING.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/UPDATING.md b/UPDATING.md index c7e2ad3ffb86a..cd4cdf92e6d34 100644 --- a/UPDATING.md +++ b/UPDATING.md @@ -23,9 +23,10 @@ This file documents any backwards-incompatible changes in Superset and assists people when migrating to a new version. ## Next -- [24232](https://github.com/apache/superset/pull/24232) Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated. -- [23652](https://github.com/apache/superset/pull/23652) Enables GENERIC_CHART_AXES feature flag by default. -- [23226](https://github.com/apache/superset/pull/23226) Migrated endpoint `/estimate_query_cost/` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have. +- [24256](https://github.com/apache/superset/pull/24256): `Flask-Login` session validation is now set to `strong` by default. Previous setting was `basic`. +- [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated. +- [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default. +- [23226](https://github.com/apache/superset/pull/23226): Migrated endpoint `/estimate_query_cost/` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have. - [22809](https://github.com/apache/superset/pull/22809): Migrated endpoint `/superset/sql_json` and `/superset/results/` to `/api/v1/sqllab/execute/` and `/api/v1/sqllab/results/` respectively. Corresponding permissions are `can sql_json on Superset` to `can execute on SQLLab`, `can results on Superset` to `can results on SQLLab`. Make sure you add/replace the necessary permissions on any custom roles you may have. - [22931](https://github.com/apache/superset/pull/22931): Migrated endpoint `/superset/get_or_create_table/` to `/api/v1/dataset/get_or_create/`. Corresponding permissions are `can get or create table on Superset` to `can get or create dataset on Dataset`. Make sure you add/replace the necessary permissions on any custom roles you may have. - [22882](https://github.com/apache/superset/pull/22882): Migrated endpoint `/superset/filter////` to `/api/v1/datasource///column//values/`. Corresponding permissions are `can filter on Superset` to `can get column values on Datasource`. Make sure you add/replace the necessary permissions on any custom roles you may have.