Blocking or Allowing Insecure Scripts in Tableau Server

Issue

When you work with a Tableau workbook that gets data from a SQL-based data source or from an Rserve server, you can create calculations with expressions that are sent directly to the data source, known as pass-through expressions. These types of expressions are described in the following Tableau Desktop documentation:

The pass-through functions are those with names that begin with RAWSQL_ or SCRIPT_.

Under certain circumstances, pass-through expressions could be vectors for SQL injection attacks—that is, an attacker might be able to include malicious commands in them as values. This can happen when the workbook contains a calculation that meets all of these criteria:

The calculation includes a SCRIPT_ or RAWSQL_ function.
The expression uses a value that is passed to the calculation from a parameter in the workbook.
The parameter is typed as a string.
The parameter is the first parameter passed to the calculation.
The parameter is not enclosed in quotation marks.

For example, in the following expression, Parameter 1 might be intended to contain a string value, like small, medium, or large.

RAWSQL_STR([Parameter 1])

However, if a user can set the value of Parameter 1 to arbitrary text, that user could potentially create a SQL injection attack.

Because an expression like this could potentially include malicious commands, it is referred to as an insecure script.

Note the last criterion—that insecure scripts include parameters do not have quotation marks. Consider the following example:

RAWSQL_BOOL("%1", [Parameter 1])

This example does not constitute an insecure script, because the value of Parameter 1 is included in quotation marks, so SQL does not treat the value as a command.

Environment

Tableau Server

Resolution

Allowing insecure scripts when publishing to Tableau Server

Tableau Server versions 2018.2 and newer (Post-TSM)

You can allow users to publish workbooks that contain insecure scripts by using the following tsm configuration set command:

tsm configuration set vizqlserver.allow_insecure_scripts true

Tableau Server versions prior to 2018.2 (Pre-TSM)

You can allow users to publish workbooks that contain insecure scripts by using the following tabadmin set command:

tabadmin set vizqlserver.allow_insecure_scripts true

Cause

By default, users are not allowed to publish a workbook to Tableau Server that contains an insecure script—that is, a workbook that contains a calculation that meets all of the criteria described earlier. When users attempt to publish the workbook, they see the following response from the server:

"This worksheet contains custom user scripts or SQL with injectable string parameters, which may be vulnerable on the target platform."

Publishing is blocked whether users are trying to publish using Tableau Desktop, the tabcmd publish command, or Publish Workbook in the REST API.

Additional Information

Notes about enabling or disabling insecure scripts on Tableau Server

The vizqlserver.allow_insecure_scripts setting is designed for scenarios where a user might try to use a parameter value to send unauthorized SQL or Rserve commands. To help secure Tableau Server installations, the default setting is false, so that users cannot publish workbooks with insecure scripts. Consider the following points about the vizqlserver.allow_insecure_scripts setting:

If your users never create custom SQL or R expressions, you can make sure that vizqlserver.allow_insecure_scripts is set to false without affecting the ability of your users to publish workbooks.
If your users create calculations that include custom SQL or R expressions, but you do not believe that other users might try to pass commands to the data source, you can enable publishing of insecure scripts (that is, set vizqlserver.allow_insecure_scripts to true).
The vizqlserver.allow_insecure_scripts setting applies to a Tableau Server installation as a whole. If this setting is false, publishing workbooks that contain insecure scripts is blocked for all sites and projects on the server.
Tableau Public and Tableau Cloud do not allow calculations that include expressions with functions beginning with RAW or SCRIPT_. Therefore, the vizqlserver.allow_insecure_scripts default value of false does not affect those products.
This error message will also appear on Tableau Server directly if the setting vizqlserver.allow_insecure_scripts is changed to false, and then attempting to access a workbook which was published with insecure scripts prior to the setting being changed.