Update V10 release branch to 10.1 (#5655)

* Add support for Firebolt Database (#5606)

* Fixes issue #5622 (#5623)

* Update Readme to reflect Firebolt data source (#5649)

* Speed up BigQuery schema fetching (#5632)

New method improves schema fetching by as much as 98% on larger schemas

* Merge pull request from GHSA-vhc7-w7r8-8m34

* WIP: break the flask_oauthlib behavior

* Refactor google-oauth to use cryptographic state.

* Clean up comments

* Fix: tests didn't pass because of the scope issues.

Moved outside the create_blueprint method because this does not depend
on the Authlib object.

* Apply Arik's fixes. Tests pass.

* Merge pull request from GHSA-g8xr-f424-h2rv

* Merge pull request from GHSA-fcpv-hgq6-87h7

* Update changelog to incorporate security fixes and #5632 & #5606 (#5654)

* Update changelog to incorporate security fixes and #5632 & #5606

* Added reference to sqlite fix

* Bump to V10.1

* Missed package-lock.json on the first pass

* Add a REDASH_COOKIE_SECRET for circleci

* Revert "Add a REDASH_COOKIE_SECRET for circleci"

This reverts commit 4576636.

Moves config to the correct compose files

* Move advocate to core requirements.txt file

[debugging circleci failures]

Co-authored-by: rajeshSigmoid <[email protected]>
Co-authored-by: Aratrik Pal <[email protected]>
Co-authored-by: rajeshmauryasde <[email protected]>
Co-authored-by: Katsuya Shimabukuro <[email protected]>

Author: 5 people

.circleci/docker-compose.circle.yml

@@ -13,6 +13,7 @@ services:
       REDASH_LOG_LEVEL: "INFO"
       REDASH_REDIS_URL: "redis://redis:6379/0"
       REDASH_DATABASE_URL: "postgresql://postgres@postgres/postgres"
+      REDASH_COOKIE_SECRET: "2H9gNG9obnAQ9qnR9BDTQUph6CbXKCzF"
   redis:
     image: redis:3.0-alpine
     restart: unless-stopped

.circleci/docker-compose.cypress.yml

@@ -12,6 +12,7 @@ x-redash-environment: &redash-environment
   REDASH_DATABASE_URL: "postgresql://postgres@postgres/postgres"
   REDASH_RATELIMIT_ENABLED: "false"
   REDASH_ENFORCE_CSRF: "true"
+  REDASH_COOKIE_SECRET: "2H9gNG9obnAQ9qnR9BDTQUph6CbXKCzF"
 services:
   server:
     <<: *redash-service

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Change Log
 
+## V10.1.0 - 2021-11-23
+
+This release includes patches for three security vulnerabilities:
+
+- Insecure default configuration affects installations where REDASH_COOKIE_SECRET is not set explicitly (CVE-2021-41192)
+- SSRF vulnerability affects installations that enabled URL-loading data sources (CVE-2021-43780)
+- Incorrect usage of state parameter in OAuth client code affects installations where Google Login is enabled (CVE-2021-43777)
+
+And a couple features that didn't merge in time for 10.0.0
+
+- Big Query: Speed up schema loading (#5632)
+- Add support for Firebolt data source (#5606)
+- Fix: Loading schema for Sqlite DB with "Order" column name fails (#5623)
+
 ## v10.0.0 - 2021-10-01
 
 A few changes were merged during the V10 beta period.

README.md

@@ -43,6 +43,7 @@ Redash supports more than 35 SQL and NoSQL [data sources](https://redash.io/help
 - DB2 by IBM
 - Druid
 - Elasticsearch
+- Firebolt
 - Google Analytics
 - Google BigQuery
 - Google Spreadsheets

client/app/assets/images/db-logos/firebolt.png

@@ -8,6 +8,8 @@ x-redash-service: &redash-service
       skip_frontend_build: "true"
   volumes:
     - .:/app
+  env_file:
+    - .env
 x-redash-environment: &redash-environment
   REDASH_LOG_LEVEL: "INFO"
   REDASH_REDIS_URL: "redis://redis:6379/0"
@@ -16,6 +18,7 @@ x-redash-environment: &redash-environment
   REDASH_MAIL_DEFAULT_SENDER: "[email protected]"
   REDASH_MAIL_SERVER: "email"
   REDASH_ENFORCE_CSRF: "true"
+  # Set secret keys in the .env file
 services:
   server:
     <<: *redash-service

docker-compose.yml

@@ -1,6 +1,6 @@
 {
   "name": "redash-client",
-  "version": "10.0.0",
+  "version": "10.1.0",
   "description": "The frontend part of Redash.",
   "main": "index.js",
   "scripts": {

package-lock.json

@@ -15,7 +15,7 @@
 from .query_runner import import_query_runners
 from .destinations import import_destinations
 
-__version__ = "10.0.0"
+__version__ = "10.1.0"
 
 
 if os.environ.get("REMOTE_DEBUG"):

package.json

@@ -243,12 +243,13 @@ def logout_and_redirect_to_index():
 
 def init_app(app):
     from redash.authentication import (
-        google_oauth,
         saml_auth,
         remote_user_auth,
         ldap_auth,
     )
 
+    from redash.authentication.google_oauth import create_google_oauth_blueprint
+
     login_manager.init_app(app)
     login_manager.anonymous_user = models.AnonymousUser
     login_manager.REMEMBER_COOKIE_DURATION = settings.REMEMBER_COOKIE_DURATION
@@ -259,8 +260,9 @@ def extend_session():
         app.permanent_session_lifetime = timedelta(seconds=settings.SESSION_EXPIRY_TIME)
 
     from redash.security import csrf
-    for auth in [google_oauth, saml_auth, remote_user_auth, ldap_auth]:
-        blueprint = auth.blueprint
+
+    # Authlib's flask oauth client requires a Flask app to initialize
+    for blueprint in [create_google_oauth_blueprint(app), saml_auth.blueprint, remote_user_auth.blueprint, ldap_auth.blueprint, ]:
         csrf.exempt(blueprint)
         app.register_blueprint(blueprint)