Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: Removes the deprecated ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag #26344

Merged

Conversation

michael-s-molina
Copy link
Member

@michael-s-molina michael-s-molina commented Dec 22, 2023

SUMMARY

As part of the 4.0 approved initiatives, this PR removes the ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag.

The previous value of the feature flag was False and now the feature is permanently removed.

TESTING INSTRUCTIONS

CI should be sufficient for merging this PR. We'll do a complete testing of 4.0 after all approved proposals are merged.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@michael-s-molina michael-s-molina added risk:breaking-change Issues or PRs that will introduce breaking changes hold! On hold v4.0 Label added by the release manager to track PRs to be included in the 4.0 branch labels Dec 22, 2023
Copy link

codecov bot commented Dec 22, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (b06ab7d) 69.07% compared to head (f3a1ccd) 69.06%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #26344      +/-   ##
==========================================
- Coverage   69.07%   69.06%   -0.02%     
==========================================
  Files        1930     1936       +6     
  Lines       75278    75375      +97     
  Branches     8429     8432       +3     
==========================================
+ Hits        51998    52057      +59     
- Misses      21133    21160      +27     
- Partials     2147     2158      +11     
Flag Coverage Δ
hive 53.56% <100.00%> (-0.01%) ⬇️
mysql 77.80% <100.00%> (-0.04%) ⬇️
postgres 77.90% <100.00%> (-0.04%) ⬇️
presto 53.51% <100.00%> (-0.01%) ⬇️
python 82.74% <100.00%> (-0.04%) ⬇️
sqlite 77.48% <100.00%> (-0.04%) ⬇️
unit 56.02% <100.00%> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@michael-s-molina michael-s-molina changed the title refactor: Removes the ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag refactor: Removes the deprecated ENABLE_EXPLORE_JSON_CSRF_PROTECTION feature flag Dec 26, 2023
@michael-s-molina michael-s-molina requested a review from a team December 28, 2023 19:27
@@ -239,8 +239,6 @@ def explore_json_data(self, cache_key: str) -> FlaskResponse:
return json_error_response(utils.error_msg_from_exception(ex), 400)

EXPLORE_JSON_METHODS = ["POST"]
if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this was False by default, shouldn't we keep the EXPLORE_JSON_METHODS.append("GET") ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch! @dpgaspar can you confirm the expected behavior?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@geido Confirmed and added the GET method by default as you suggested.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my understanding this feature flag would allow explore_json to accept HTTP GETs but still imposing CSRF protection. So when False this endpoint would only accept HTTP POSTs and so would be automatically protected to CSRF. Shouldn't we keep the same behaviour and just allow for POST and be always protected?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my understanding this feature flag would allow explore_json to accept HTTP GETs but still imposing CSRF protection.

This feature flag was False by default, allowing GET. There's no other control than excluding GET when this feature flag is True.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missed the not on the feature flag check. Makes sense

@michael-s-molina michael-s-molina marked this pull request as ready for review January 5, 2024 18:54
@michael-s-molina michael-s-molina force-pushed the remove-csrf-protection-ff branch from 8d380f9 to 1ed5013 Compare January 8, 2024 13:50
@@ -239,8 +239,6 @@ def explore_json_data(self, cache_key: str) -> FlaskResponse:
return json_error_response(utils.error_msg_from_exception(ex), 400)

EXPLORE_JSON_METHODS = ["POST"]
if not is_feature_enabled("ENABLE_EXPLORE_JSON_CSRF_PROTECTION"):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missed the not on the feature flag check. Makes sense

@michael-s-molina michael-s-molina removed the hold! On hold label Jan 16, 2024
@michael-s-molina michael-s-molina merged commit cf20b34 into apache:master Jan 18, 2024
35 checks passed
Muhammed-baban pushed a commit to intellica-tech/reporting-tool that referenced this pull request Jan 19, 2024
sfirke pushed a commit to sfirke/superset that referenced this pull request Mar 22, 2024
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 4.0.0 labels Apr 17, 2024
vinothkumar66 pushed a commit to vinothkumar66/superset that referenced this pull request Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels risk:breaking-change Issues or PRs that will introduce breaking changes size/M v4.0 Label added by the release manager to track PRs to be included in the 4.0 branch 🚢 4.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants