fix(charts): disable CSRF for chart data endpoint

superset/app.py

@@ -24,7 +24,6 @@
 from flask_appbuilder import expose, IndexView
 from flask_babel import gettext as __, lazy_gettext as _
 from flask_compress import Compress
-from flask_wtf import CSRFProtect
 
 from superset.connectors.connector_registry import ConnectorRegistry
 from superset.extensions import (
@@ -33,6 +32,7 @@
     appbuilder,
     cache_manager,
     celery_app,
+    csrf,
     db,
     feature_flag_manager,
     jinja_context_manager,
@@ -614,7 +614,7 @@ def setup_db(self) -> None:
 
     def configure_wtf(self) -> None:
         if self.config["WTF_CSRF_ENABLED"]:
-            csrf = CSRFProtect(self.flask_app)
+            csrf.init_app(self.flask_app)
             csrf_exempt_list = self.config["WTF_CSRF_EXEMPT_LIST"]
             for ex in csrf_exempt_list:
                 csrf.exempt(ex)

superset/config.py

@@ -171,7 +171,7 @@ def _try_json_readsha(  # pylint: disable=unused-argument
 WTF_CSRF_ENABLED = True
 
 # Add endpoints that need to be exempt from CSRF protection
-WTF_CSRF_EXEMPT_LIST = ["superset.views.core.log"]
+WTF_CSRF_EXEMPT_LIST = ["superset.views.core.log", "superset.charts.api.data"]
 
 # Whether to run the web server in debug mode or not
 DEBUG = os.environ.get("FLASK_ENV") == "development"

superset/extensions.py

@@ -29,6 +29,7 @@
 from flask_appbuilder import AppBuilder, SQLA
 from flask_migrate import Migrate
 from flask_talisman import Talisman
+from flask_wtf.csrf import CSRFProtect
 from werkzeug.local import LocalProxy
 
 from superset.utils.cache_manager import CacheManager
@@ -132,6 +133,7 @@ def get_manifest_files(self, bundle: str, asset_type: str) -> List[str]:
 appbuilder = AppBuilder(update_perms=False)
 cache_manager = CacheManager()
 celery_app = celery.Celery()
+csrf = CSRFProtect()
 db = SQLA()
 _event_logger: Dict[str, Any] = {}
 event_logger = LocalProxy(lambda: _event_logger.get("event_logger"))