Prevent database connections to sqlite

superset/config.py

@@ -760,6 +760,10 @@ class CeleryConfig:  # pylint: disable=too-few-public-methods
 # SQLALCHEMY_DATABASE_URI by default if set to `None`
 SQLALCHEMY_EXAMPLES_URI = None
 
+# Some sqlalchemy connection strings can open Superset to security risks.
+# Typically these should not be allowed.
+PREVENT_UNSAFE_DB_CONNECTIONS = True
+
 # SIP-15 should be enabled for all new Superset deployments which ensures that the time
 # range endpoints adhere to [start, end). For existing deployments admins should provide
 # a dedicated period of time to allow chart producers to update their charts before

superset/security/analytics_db_safety.py

@@ -0,0 +1,30 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+
+class DBSecurityException(Exception):
+    """ Exception to prevent a security issue with connecting a DB """
+
+    status = 400
+
+
+def check_sqlalchemy_uri(uri):
+    if uri.startswith("sqlite"):
+        # sqlite creates a local DB, which allows mapping server's filesystem
+        raise DBSecurityException(
+            "SQLite database cannot be used as a data source for security reasons."
+        )

superset/views/core.py

@@ -78,6 +78,10 @@
 from superset.models.slice import Slice
 from superset.models.sql_lab import Query, TabState
 from superset.models.user_attributes import UserAttribute
+from superset.security.analytics_db_safety import (
+    check_sqlalchemy_uri,
+    DBSecurityException,
+)
 from superset.sql_parse import ParsedQuery
 from superset.sql_validators import get_validator_by_name
 from superset.utils import core as utils, dashboard_import_export
@@ -1314,6 +1318,8 @@ def testconn(self):
         db_name = request.json.get("name")
         uri = request.json.get("uri")
         try:
+            if app.config.get("PREVENT_UNSAFE_DB_CONNECTIONS"):
+                check_sqlalchemy_uri(uri)
             # if the database already exists in the database, only its safe (password-masked) URI
             # would be shown in the UI and would be passed in the form data.
             # so if the database already exists and the form was submitted with the safe URI,
@@ -1365,6 +1371,9 @@ def testconn(self):
             return json_error_response(
                 _("Connection failed, please check your connection settings."), 400
             )
+        except DBSecurityException as e:
+            logger.warning("Stopped an unsafe database connection. %s", e)
+            return json_error_response(_(str(e)))
         except Exception as e:
             logger.error("Unexpected error %s", e)
             return json_error_response(_("Unexpected error occurred."), 400)

superset/views/database/mixins.py

@@ -20,8 +20,9 @@
 from flask_babel import lazy_gettext as _
 from sqlalchemy import MetaData
 
-from superset import security_manager
+from superset import app, security_manager
 from superset.exceptions import SupersetException
+from superset.security.analytics_db_safety import check_sqlalchemy_uri
 from superset.utils import core as utils
 from superset.views.database.filters import DatabaseFilter
 
@@ -191,6 +192,8 @@ class DatabaseMixin:
     }
 
     def _pre_add_update(self, database):
+        if app.config.get("PREVENT_UNSAFE_DB_CONNECTIONS"):
+            check_sqlalchemy_uri(database.sqlalchemy_uri)
         self.check_extra(database)
         self.check_encrypted_extra(database)
         database.set_sqlalchemy_uri(database.sqlalchemy_uri)

tests/security/analytics_db_safety_tests.py

@@ -0,0 +1,32 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from superset.security.analytics_db_safety import (
+    check_sqlalchemy_uri,
+    DBSecurityException,
+)
+
+from ..base_tests import SupersetTestCase
+
+
+class DBConnectionsTest(SupersetTestCase):
+    def test_check_sqlalchemy_uri_ok(self):
+        check_sqlalchemy_uri("postgres://user:password@test.com")
+
+    def test_check_sqlalchemy_url_sqlite(self):
+        with self.assertRaises(DBSecurityException):
+            check_sqlalchemy_uri("sqlite:///home/superset/bad.db")