This update contains an important security fix and is a recommended update for users who have a BigQuery or SparkSQL database connection in Metabase.

Security fix for BigQuery and SparkSQL

Metabase was recently informed of a potential SQL Injection vulnerability when connecting to Google BigQuery. While the vast majority of our database drivers utilize parameterized queries, our original implementation of BigQuery did not as it wasn’t supported at the time. In release v0.35.4, we have updated the BigQuery driver to support parameterized queries, which will prevent SQL injection attacks. As part of this release, we also determined that our SparkSQL driver was susceptible to the same issue and we have added additional escaping of user input to that driver as well.

Enhancements

• Turkish translation is now available again (#12557)
• Better site URL detection when Metabase is run behind a proxy (#12528)
• Changed map tile server URL to HTTPS (#12431)
• Drastically reduced memory usage for streaming large XLSX files — thanks to @sunui for the PR. (#12521)
• Fixed incorrect Content-Type in part of the API — thanks to @federicotdn for the PR. (#12461)
• Added documentation for the MAX_SESSION_AGE environment variable — thanks to @lindsay-stevens for the help. (#9495)

Bug fixes

• Custom column concat function errors on Amazon Redshift when using 3 or more parameters (#12544)
• Fingerprinting breaks on infinities (#12511)
• Custom columns failing when joined data has over about 30 columns (#12481)
• Fixed an issue where the Metabase logo was displaying too small (#12441)
• Adding custom field result in not being able to find columns from table (#12397)
• Create Slack Bot button has gone missing (#12382)
• Cannot view/edit table-level permissions for databases that are not schema-based (#12372)
• "Error reducing result rows" exception when downloading full results (#12339)
• Unable to create new personalized questions (#12323)
• "Custom Column" with a / (slashes) in name will fail the query (#12305)
• Custom Column "ERROR: missing FROM-clause entry for table" Postgres (#12304)
• Upgrade to 0.35.0 release fails (#12223)
• Object Details (single record view) places the results outside of view (#11887)
• Zero-dates cause Pulses to fail (#11665)
• Cannot save question when results are empty (#11256)
• Line/area/bar charts are hiding x-axis labels too aggressively when scale is set to Timeseries (#11158)
• java.lang.NullPointerException when use TIMEDIFF (#10983)
• Not possible to restore visibility after setting "Do Not Include" in Data Model (#10297)
• Cannot read property 'lat' of null - Allow filter empty/not empty (like for dates) (#7361)
• Auto-refresh doesn't work for dashboards if redirected after login (#7244)
• Clicking link to unsaved question when logged out takes you to 404 page after login (#6317)
• Raw queries with "ON" date filter are broken for Druid [Regression] (#6290)

Upgrading

You can download a .jar of the release, or get the latest on Docker. Make sure to back up your Metabase database before you upgrade! Need help? Check out our upgrading instructions.

Docker image: metabase/metabase:v0.35.4
Download the JAR here: https://downloads.metabase.com/v0.35.4/metabase.jar

Notes

SHA-256 checksum for the 0.35.4 JAR:

a839b608d19701047aac6fcf2d61dc74d9734cf9488d69c9540ec148daccefd5