Skip to content

Commit

Permalink
feat(embedded): enforce allow domains (apache#20251)
Browse files Browse the repository at this point in the history
* feat(embedded): enforce allow domains

* check referrer in view

* remove frontend check
  • Loading branch information
Lily Kuang authored and akshatsri committed Jul 19, 2022
1 parent 78444a9 commit fb46c52
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion superset/embedded/view.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,10 @@
import json
from typing import Callable

from flask import abort
from flask import abort, request
from flask_appbuilder import expose
from flask_login import AnonymousUserMixin, LoginManager
from flask_wtf.csrf import same_origin

from superset import event_logger, is_feature_enabled, security_manager
from superset.embedded.dao import EmbeddedDAO
Expand Down Expand Up @@ -50,9 +51,20 @@ def embedded(
abort(404)

embedded = EmbeddedDAO.find_by_id(uuid)

if not embedded:
abort(404)

# validate request referrer in allowed domains
is_referrer_allowed = not embedded.allowed_domains
for domain in embedded.allowed_domains:
if same_origin(request.referrer, domain):
is_referrer_allowed = True
break

if not is_referrer_allowed:
abort(403)

# Log in as an anonymous user, just for this view.
# This view needs to be visible to all users,
# and building the page fails if g.user and/or ctx.user aren't present.
Expand Down

0 comments on commit fb46c52

Please sign in to comment.