[Security] Bump datasette from 0.27 to 0.46

[dependabot-preview]

Bumps datasette from 0.27 to 0.46.

Release notes

Sourced from datasette's releases.

0.46

Warning: This release contains a security fix related to authenticated writable canned queries. If you are using this feature you should upgrade as soon as possible.

• Security fix: CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker. See issue 918 for details.
• Datasette now supports GraphQL via the new datasette-graphql plugin - see GraphQL in Datasette with the new datasette-graphql plugin.
• Principle git branch has been renamed from master to main. (#849)
• New debugging tool: /-/allow-debug tool (demo here) helps test allow blocks against actors, as described in Defining permissions with "allow" blocks. (#908)
• New logo for the documentation, and a new project tagline: "An open source multi-tool for exploring and publishing data".
• Whitespace in column values is now respected on display, using white-space: pre-wrap. (#896)
• New await request.post_body() method for accessing the raw POST body, see Request object. (#897)
• Database file downloads now include a content-length HTTP header, enabling download progress bars. (#905)
• File downloads now also correctly set the suggested file name using a content-disposition HTTP header. (#909)
• tests are now excluded from the Datasette package properly - thanks, abeyerpath. (#456)
• The Datasette package published to PyPI now includes sdist as well as bdist_wheel.
• Better titles for canned query pages. (#887)
• Now only loads Python files from a directory passed using the --plugins-dir option - thanks, Amjith Ramanujam. (#890)
• New documentation section on Publishing to Vercel.

0.45

Magic parameters for canned queries, a log out feature, improved plugin documentation and four new plugin hooks.

Magic parameters for canned queries

Canned queries now support Magic parameters, which can be used to insert or select automatically generated values. For example:

insert into logs
  (user_id, timestamp)
values
  (:_actor_id, :_now_datetime_utc)

This inserts the currently authenticated actor ID and the current datetime. (#842)

Log out

The ds_actor cookie can be used by plugins (or by Datasette's --root mechanism) to authenticate users. The new /-/logout page provides a way to clear that cookie.

A "Log out" button now shows in the global navigation provided the user is authenticated using the ds_actor cookie. (#840)

Better plugin documentation

The plugin documentation has been re-arranged into four sections, including a brand new section on testing plugins. (#687)

• Plugins introduces Datasette's plugin system and describes how to install and configure plugins.
• Writing plugins describes how to author plugins, from simple one-off plugins to packaged plugins that can be published to PyPI. It also describes how to start a plugin using the new datasette-plugin cookiecutter template.
• Plugin hooks is a full list of detailed documentation for every Datasette plugin hook.
• Testing plugins describes how to write tests for Datasette plugins, using pytest and HTTPX.

New plugin hooks

• register_magic_parameters(datasette) can be used to define new types of magic canned query parameters.

Changelog

Sourced from datasette's changelog.

0.46 (2020-08-09)

This release contains a security fix related to authenticated writable canned queries. If you are using this feature you should upgrade as soon as possible.

• Security fix: CSRF tokens were incorrectly included in read-only canned query forms, which could allow them to be leaked to a sophisticated attacker. See issue 918 for details.
• Datasette now supports GraphQL via the new datasette-graphql plugin - see GraphQL in Datasette with the new datasette-graphql plugin.
• Principle git branch has been renamed from master to main. (#849)
• New debugging tool: /-/allow-debug tool (demo here) helps test allow blocks against actors, as described in authentication_permissions_allow. (#908)
• New logo for the documentation, and a new project tagline: "An open source multi-tool for exploring and publishing data".
• Whitespace in column values is now respected on display, using white-space: pre-wrap. (#896)
• New await request.post_body() method for accessing the raw POST body, see internals_request. (#897)
• Database file downloads now include a content-length HTTP header, enabling download progress bars. (#905)
• File downloads now also correctly set the suggested file name using a content-disposition HTTP header. (#909)
• tests are now excluded from the Datasette package properly - thanks, abeyerpath. (#456)
• The Datasette package published to PyPI now includes sdist as well as bdist_wheel.
• Better titles for canned query pages. (#887)
• Now only loads Python files from a directory passed using the --plugins-dir option - thanks, Amjith Ramanujam. (#890)
• New documentation section on publish_vercel.

0.45 (2020-07-01)

Magic parameters for canned queries, a log out feature, improved plugin documentation and four new plugin hooks.

Magic parameters for canned queries

Canned queries now support canned_queries_magic_parameters, which can be used to insert or select automatically generated values. For example:

insert into logs
  (user_id, timestamp)
values
  (:_actor_id, :_now_datetime_utc)

This inserts the currently authenticated actor ID and the current datetime. (#842)

Log out

The ds_actor cookie <authentication_ds_actor> can be used by plugins (or by Datasette's --root mechanism<authentication_root>) to authenticate users. The new /-/logout page provides a way to clear that cookie.

A "Log out" button now shows in the global navigation provided the user is authenticated using the ds_actor cookie. (#840)

Better plugin documentation

Commits

• b597aa0 Fixed link in release notes, refs #918
• f25391d Release 0.46
• 6d29210 Updated docs on what happens when a release goes out
• 7f10f0f Fix for security issue #918
• de90b75 Fixed incorrect link reference
• 6023900 Package as sdist as well as bdist_wheel
• dc86ce7 Added datasette-graphql
• daf1b50 datasette-graphql in news
• 7ca8c05 Calculate coverage on pushes to main
• 84c162d Deploy latest on pushes to main
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

CSRF tokens leaked in URL by canned query form

Impact

The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698).

This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to:

https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE

This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs.

... (truncated)

Affected versions: ["< 0.46"]

[acdha]

@dependabot rebase