From f6858256f496387146c4b535436bedaeceeeee51 Mon Sep 17 00:00:00 2001
From: Daniel Vaz Gaspar <danielvazgaspar@gmail.com>
Date: Fri, 4 Sep 2020 16:37:14 +0100
Subject: [PATCH] security: disallow uuid package on jinja2 (#10794)

* fix: disallow uuid package on jinja2

* update UPDATING.md

* Update UPDATING.md

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>

Co-authored-by: Ville Brofeldt <33317356+villebro@users.noreply.github.com>
---
 UPDATING.md            | 2 ++
 docs/sqllab.rst        | 5 ++++-
 superset/extensions.py | 5 ++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index 47a5dd396e1ec..b533ed7ebe360 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,8 @@ assists people when migrating to a new version.
 
 ## Next
 
+* [10794](https://github.com/apache/incubator-superset/pull/10794): Breaking change: `uuid` python package is not supported on Jinja2 anymore, only uuid functions are exposed eg: `uuid1`, `uuid3`, `uuid4`, `uuid5`.
+
 * [10674](https://github.com/apache/incubator-superset/pull/10674): Breaking change: PUBLIC_ROLE_LIKE_GAMMA was removed is favour of the new PUBLIC_ROLE_LIKE so it can be set it whatever role you want.
 
 * [10590](https://github.com/apache/incubator-superset/pull/10590): Breaking change: this PR will convert iframe chart into dashboard markdown component, and remove all `iframe`, `separator`, and `markup` slices (and support) from Superset. If you have important data in those slices, please backup manually.
diff --git a/docs/sqllab.rst b/docs/sqllab.rst
index b582c53e209e0..27711cbfd0414 100644
--- a/docs/sqllab.rst
+++ b/docs/sqllab.rst
@@ -73,7 +73,10 @@ Superset's Jinja context:
 
 - ``time``: ``time``
 - ``datetime``: ``datetime.datetime``
-- ``uuid``: ``uuid``
+- ``uuid1``: ``uuid1``
+- ``uuid3``: ``uuid3``
+- ``uuid4``: ``uuid4``
+- ``uuid5``: ``uuid5``
 - ``random``: ``random``
 - ``relativedelta``: ``dateutil.relativedelta.relativedelta``
 
diff --git a/superset/extensions.py b/superset/extensions.py
index 06d55c8a17247..bd66bd4e6b755 100644
--- a/superset/extensions.py
+++ b/superset/extensions.py
@@ -50,7 +50,10 @@ def __init__(self) -> None:
             "relativedelta": relativedelta,
             "time": time,
             "timedelta": timedelta,
-            "uuid": uuid,
+            "uuid1": uuid.uuid1,
+            "uuid3": uuid.uuid3,
+            "uuid4": uuid.uuid4,
+            "uuid5": uuid.uuid5,
         }
         self._template_processors: Dict[str, Type["BaseTemplateProcessor"]] = {}