Impact

The current implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled.

Our thanks to Ian Carroll (@iangcarroll on Github) for responsibly disclosing this vulnerability.

Patches

The current master and release/10.x.x branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.1 to receive this patch. For Docker installations, you can upgrade to Docker Tag redash/redash:10.1.0.b50633.

Workarounds

To mitigate the vulnerability without upgrading:

1. You can disable the vulnerable data sources entirely, by adding the following env variable to your configuration. This will make them unavailable inside the webapp.

REDASH_DISABLED_QUERY_RUNNERS = "redash.query_runner.excel,redash.query_runner.csv,redash.query_runner.json_ds,redash.query_runner.url,redash.query_runner.drill,redash.query_runner.jira"

2. You can switch any data source of the following types to be "View Only" for all groups on the Settings > Groups > Data Sources screen:

• JSON
• CSV
• Excel
• Apache Drill
• Jira
• URL

For more information

If you have any questions or comments about this advisory:

• Open an issue in getredash/redash if you believe further development is needed.
• Start a thread in the forum.