You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by dp...@apache.org on 2020/09/30 08:34:48 UTC
[incubator-superset] branch master updated: fix(chart-data-api):
ignore missing filters (#11112)
This is an automated email from the ASF dual-hosted git repository.
dpgaspar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-superset.git
The following commit(s) were added to refs/heads/master by this push:
new ada66e3 fix(chart-data-api): ignore missing filters (#11112)
ada66e3 is described below
commit ada66e30dd1111487735b75f821f45e8a0906d7b
Author: Ville Brofeldt <33...@users.noreply.github.com>
AuthorDate: Wed Sep 30 11:34:23 2020 +0300
fix(chart-data-api): ignore missing filters (#11112)
---
superset/common/query_context.py | 1 -
tests/charts/api_tests.py | 16 ++++++++++++++++
tests/query_context_tests.py | 17 -----------------
3 files changed, 16 insertions(+), 18 deletions(-)
diff --git a/superset/common/query_context.py b/superset/common/query_context.py
index ad67d11..0e7fa9d 100644
--- a/superset/common/query_context.py
+++ b/superset/common/query_context.py
@@ -237,7 +237,6 @@ class QueryContext:
col
for col in query_obj.columns
+ query_obj.groupby
- + [flt["col"] for flt in query_obj.filter]
+ utils.get_column_names_from_metrics(query_obj.metrics)
if col not in self.datasource.column_names
]
diff --git a/tests/charts/api_tests.py b/tests/charts/api_tests.py
index a3873e8..7127180 100644
--- a/tests/charts/api_tests.py
+++ b/tests/charts/api_tests.py
@@ -855,6 +855,22 @@ class TestChartApi(SupersetTestCase, ApiOwnersTestCaseMixin):
self.assertIn("sum__num__yhat_lower", row)
self.assertEqual(result["rowcount"], 47)
+ def test_chart_data_query_missing_filter(self):
+ """
+ Chart data API: Ensure filter referencing missing column is ignored
+ """
+ self.login(username="admin")
+ table = self.get_table_by_name("birth_names")
+ request_payload = get_query_context(table.name, table.id, table.type)
+ request_payload["queries"][0]["filters"] = [
+ {"col": "non_existent_filter", "op": "==", "val": "foo"},
+ ]
+ request_payload["result_type"] = utils.ChartDataResultType.QUERY
+ rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
+ self.assertEqual(rv.status_code, 200)
+ response_payload = json.loads(rv.data.decode("utf-8"))
+ assert "non_existent_filter" not in response_payload["result"][0]["query"]
+
def test_chart_data_no_data(self):
"""
Chart data API: Test chart data with empty result
diff --git a/tests/query_context_tests.py b/tests/query_context_tests.py
index 5cdfdd0..68ef288 100644
--- a/tests/query_context_tests.py
+++ b/tests/query_context_tests.py
@@ -211,23 +211,6 @@ class TestQueryContext(SupersetTestCase):
query_payload = query_context.get_payload()
assert query_payload[0].get("error") is not None
- def test_sql_injection_via_filters(self):
- """
- Ensure that calling invalid columns names in filters are caught
- """
- self.login(username="admin")
- table_name = "birth_names"
- table = self.get_table_by_name(table_name)
- payload = get_query_context(table.name, table.id, table.type)
- payload["queries"][0]["groupby"] = ["name"]
- payload["queries"][0]["metrics"] = []
- payload["queries"][0]["filters"] = [
- {"col": "*", "op": FilterOperator.EQUALS.value, "val": ";"}
- ]
- query_context = ChartDataQueryContextSchema().load(payload)
- query_payload = query_context.get_payload()
- assert query_payload[0].get("error") is not None
-
def test_sql_injection_via_metrics(self):
"""
Ensure that calling invalid columns names in filters are caught