superset icon indicating copy to clipboard operation
superset copied to clipboard

Published 20 hours ago verified publisher icon apache

Custom delimiter configuration isn't loaded for CSV import

Open aho-exerp opened this issue 1 year ago • 2 comments

On 'CSV to Database configuration' the field for custom delimiter configuration isn't loaded when choosing 'Other' - due to violation of Content Security Policy (CSP) by static nonce on script. The issue isn't present the first time the page is loaded, but upon every following visit to the page.

How to reproduce the bug

  1. Leave Superset with default TALISMAN configuration
  2. Add database connection and under 'Advances'->'Security' check 'Allow file uploads to database'
  3. In browser open development tools, so you can see the source HTML
  4. Go to 'Data' -> 'Upload CSV to database'
  5. Select on Delimiter: 'Other'
  6. If you are opening this page first time, reload the page to see the error

Expected results

A free text input field under 'Enter a delimiter for this data' is loaded. No CSP errors. image

Actual results

No text input field is loaded, instead in the Dev console of the browser you can see the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-A3G08VMJ0tosJ5Wlse9kLCHiqfipHohf'". Either the 'unsafe-inline' keyword, a hash ('sha256-LDZ4ztcGb3PpryC0w3Ox6TyZleJKsSIt1Vu4Zay22rE='), or a nonce ('nonce-...') is required to enable inline execution.

Screenshots

image

In the html script one can see that the nonce set on the script handling the delimiter does not refresh along with the other nonces on the page when the page is refreshed but instead stays static.

Environment

(please complete the following information):

  • browser type and version: Chrome 119.0.6045.200
  • superset version: 3.0.1
  • python version: 3.9.18
  • node.js version: node -v
  • any feature flags active:{ "ALLOW_DASHBOARD_DOMAIN_SHARDING": true, "CLIENT_CACHE": false, "DISABLE_DATASET_SOURCE_EDIT": false, "DYNAMIC_PLUGINS": false, "ENABLE_EXPLORE_JSON_CSRF_PROTECTION": false, "ENABLE_TEMPLATE_PROCESSING": false, "KV_STORE": false, "PRESTO_EXPAND_DATA": false, "THUMBNAILS": false, "DASHBOARD_CACHE": false, "REMOVE_SLICE_LEVEL_LABEL_COLORS": false, "SHARE_QUERIES_VIA_KV_STORE": false, "SIP_38_VIZ_REARCHITECTURE": false, "TAGGING_SYSTEM": false, "SQLLAB_BACKEND_PERSISTENCE": false, "LISTVIEWS_DEFAULT_CARD_VIEW": false, "DRILL_TO_DETAIL": true, "ENABLE_REACT_CRUD_VIEWS": true, "DISPLAY_MARKDOWN_HTML": true, "ESCAPE_MARKDOWN_HTML": false, "DASHBOARD_NATIVE_FILTERS": true, "GLOBAL_ASYNC_QUERIES": false, "VERSIONED_EXPORT": true, "ROW_LEVEL_SECURITY": false, "ALERT_REPORTS": true }

Checklist

Make sure to follow these steps before submitting your issue - thank you!

  • [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
  • [x] I have reproduced the issue with at least the latest released version of superset.
  • [x] I have checked the issue tracker for the same issue and I haven't found one similar.

Additional context

Add any other context about the problem here.

  • Using TALISMAN_ENABLED = False negates the issue.
  • Opening the page in another browser or incognito mode shows that the element presents the same static nonce.
  • Adding 'unsafe-inline' to 'script-src' isn't a solution as it is ignored due to the nonce being present.

aho-exerp avatar Dec 07 '23 14:12 aho-exerp

I assume you're still facing this in Superset 3.1 / 4.x as we haven't changed much in Talisman configs.

Are you able to add unsafe-inline to script-src to work around this? CC @michael-s-molina @kgabryje who might know more about the nonce implementation.

rusackas avatar Apr 18 '24 22:04 rusackas

This is coming a bit late but I found a fix.

Instead of using the usual import you can use a similar Jinja macro inside the template like this:

{% with nonce=csp_nonce() %} {% include 'superset/form_view/database_schemas_selector.html' %} {% endwith %}

Which ensures that the nonces it sets is the same one as of all the other scripts that are inside the template and didn't need to be imported.

muh79 avatar Jun 25 '24 07:06 muh79

I have also the issue on superset 4.0.2

image

xavier-GitHub76 avatar Oct 02 '24 12:10 xavier-GitHub76

Is this still the case in 4.1.2? Anyone want to open a PR adjusting the CSPs?

This is otherwise at risk of being closed as stale (it hasn't been touched in around 200 days) / not-planned (we intend to convert this view to React at some point, and can likely address it then).

At Preset, we have a different means of uploading CSV data, so we won't likely be prioritizing this from our end, but anyone else is more than welcome to!

rusackas avatar Apr 14 '25 18:04 rusackas

With Superset 4.1.2 (and 5.0.0-RC2), the import screen is different. Delimiter is definied with : Image

Entering a custom delimiter is therefore no longer possible

xavier-GitHub76 avatar Apr 30 '25 10:04 xavier-GitHub76