Skip to content

[WIP] feat: add feature flag for CSS Templates #33675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

[WIP] feat: add feature flag for CSS Templates #33675

wants to merge 1 commit into from
+20 −5

Conversation

tshallenberger
Copy link
Contributor

SUMMARY

At Yahoo, one of our security personnel flagged this feature as a potential security issue:

The application allows user's to create custom CSS templates for their Dashboards. In doing so, the attacker was able to specify CSS that performed GET requests to the superset application. External interactions were blocked by CSP and therefore reduce the severity of the attack.
Additional CSS Injections can allow arbitrary dynamic CSS to be injected into the browser under the <style> element.
Due to availability issues this feature could not be tested further. There is likely a DOM Breakout method for this as it gets inserted plaintext into the Body of the page.
CSP Bypasses can also occur which would allow for data exfiltration in the event an open redirect can be utilized.

Additionally, there was a discussion around this feature: #296

I added a feature flag (ENABLE_CSS_TEMPLATES) that will allow users to disable CSS templates. The feature remains enabled by default.

There is a flag check in the Menu builder, a @before_request() hook in front of the CssTemplates API endpoints, and flag checks in useHeaderActionsDropdownMenu.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

(In Progress)

TESTING INSTRUCTIONS

(In Progress)

ADDITIONAL INFORMATION

  • Has associated issue: Disable Custom CSS Feature #29685
  • Required feature flags: ENABLE_CSS_TEMPLATES
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@github-actions github-actions bot added api Related to the REST API packages labels Jun 3, 2025
@dosubot dosubot bot added change:frontend Requires changing the frontend dashboard:css Related to the CSS field of the Dashboard labels Jun 3, 2025
@tshallenberger
Copy link
Contributor Author

This is a rough first draft at this feature, doesn't have tests or screenshots yet, but I'll try to add those this week. Would definitely appreciate feedback from the team!

korbit-ai[bot]
korbit-ai bot reviewed Jun 3, 2025
View reviewed changes
Copy link

@korbit-ai korbit-ai bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by Korbit AI

Korbit automatically attempts to detect when you fix issues in new commits.
Category Issue Status
Readability Hard to read type annotation ▹ view 🧠 Not in scope
Performance Redundant Feature Flag Checks ▹ view 🧠 Not in standard
Functionality Missing Permission Check for CSS Editor ▹ view 🧠 Not in standard
Functionality Incorrect HTTP status code for disabled feature ▹ view 🧠 Incorrect
Files scanned
File Path Reviewed
superset-frontend/packages/superset-ui-core/src/utils/featureFlags.ts
superset/css_templates/api.py
superset-frontend/src/dashboard/components/Header/useHeaderActionsDropdownMenu.tsx
superset/initialization/init.py
superset/config.py

Explore our documentation to understand the languages and file types we support and the files we ignore.

Check out our docs on how you can make Korbit work best for you and your team.

Loving Korbit!? Share us on LinkedIn Reddit and X

superset/css_templates/api.py
Comment on lines +108 to +113
@before_request()
def ensure_css_templates_enabled(self) -> Optional[Response]:
css_templates_enabled = is_feature_enabled("ENABLE_CSS_TEMPLATES")
if not css_templates_enabled:
return self.response_404("CSS templates are not enabled.")
return None

This comment was marked as resolved.

Sign in to view

superset/css_templates/api.py
Comment on lines +108 to +112
@before_request()
def ensure_css_templates_enabled(self) -> Optional[Response]:
css_templates_enabled = is_feature_enabled("ENABLE_CSS_TEMPLATES")
if not css_templates_enabled:
return self.response_404("CSS templates are not enabled.")

This comment was marked as resolved.

Sign in to view

superset/config.py
Comment on lines +1160 to 1162
SQLLAB_CTAS_SCHEMA_NAME_FUNC: None | (
Callable[[Database, models.User, str, str], str]
) = None

This comment was marked as resolved.

Sign in to view

superset-frontend/src/dashboard/components/Header/useHeaderActionsDropdownMenu.tsx
@@ -192,7 +192,7 @@ export const useHeaderActionsMenu = ({
{t('Edit properties')}
</Menu.Item>
)}
{editMode && (
{editMode && isFeatureEnabled(FeatureFlag.EnableCssTemplates) && (

This comment was marked as resolved.

Sign in to view

@codecov Codecov
Copy link

codecov bot commented Jun 3, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.04%. Comparing base (76d897e) to head (114e99e).
Report is 1926 commits behind head on master.

Files with missing lines Patch % Lines
superset/css_templates/api.py 88.88% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #33675       +/-   ##
===========================================
+ Coverage   60.48%   83.04%   +22.56%     
===========================================
  Files        1931      558     -1373     
  Lines       76236    40996    -35240     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    34047    -12067     
+ Misses      28017     6949    -21068     
+ Partials     2105        0     -2105
Flag Coverage Δ
hive 47.62% <60.00%> (-1.53%) ⬇️
javascript ?
mysql 73.96% <90.00%> (?)
postgres 74.02% <90.00%> (?)
presto 51.99% <60.00%> (-1.82%) ⬇️
python 83.04% <90.00%> (+19.54%) ⬆️
sqlite 73.50% <90.00%> (?)
unit 61.62% <60.00%> (+3.99%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sadpandajoe
Copy link
Member

Since this is a WIP still, going to convert this to a draft until it's ready.

@sadpandajoe sadpandajoe marked this pull request as draft June 3, 2025 21:35
@michael-s-molina michael-s-molina requested a review from dpgaspar June 4, 2025 17:22
@rusackas
Copy link
Member

rusackas commented Jun 5, 2025

Sounds good to me! @dpgaspar may want to assess the security implications.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@korbit-ai korbit-ai[bot] korbit-ai[bot] left review comments

@dpgaspar dpgaspar Awaiting requested review from dpgaspar

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
api Related to the REST API change:frontend Requires changing the frontend dashboard:css Related to the CSS field of the Dashboard packages review:draft size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tshallenberger @sadpandajoe @rusackas @michael-s-molina