You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@superset.apache.org by el...@apache.org on 2021/12/08 22:02:30 UTC
[superset] branch 1.4 updated: chore(datasets): Sanitizing /save response (#17579)
This is an automated email from the ASF dual-hosted git repository.
elizabeth pushed a commit to branch 1.4
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/1.4 by this push:
new 9837fef chore(datasets): Sanitizing /save response (#17579)
9837fef is described below
commit 9837feff19895a5371ab5c54975a64f3c0787361
Author: Craig Rueda <cr...@craigrueda.com>
AuthorDate: Mon Nov 29 20:07:06 2021 -0800
chore(datasets): Sanitizing /save response (#17579)
(cherry picked from commit ac76defc05f3f3d1d40f449f023cd96661147e82)
---
superset/views/core.py | 8 +++-----
superset/views/datasource/views.py | 5 +++--
superset/views/utils.py | 9 +++++++++
3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/superset/views/core.py b/superset/views/core.py
index 6dfa630..148c69d 100755
--- a/superset/views/core.py
+++ b/superset/views/core.py
@@ -154,6 +154,7 @@ from superset.views.utils import (
get_form_data,
get_viz,
is_owner,
+ sanitize_datasource_data,
)
from superset.viz import BaseViz
@@ -850,9 +851,6 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
}
try:
datasource_data = datasource.data if datasource else dummy_datasource_data
- datasource_database = datasource_data.get("database")
- if datasource_database:
- datasource_database["parameters"] = {}
except (SupersetException, SQLAlchemyError):
datasource_data = dummy_datasource_data
@@ -862,7 +860,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
bootstrap_data = {
"can_add": slice_add_perm,
"can_download": slice_download_perm,
- "datasource": datasource_data,
+ "datasource": sanitize_datasource_data(datasource_data),
"form_data": form_data,
"datasource_id": datasource_id,
"datasource_type": datasource_type,
@@ -2613,7 +2611,7 @@ class Superset(BaseSupersetView): # pylint: disable=too-many-public-methods
return json_error_response(DATASOURCE_MISSING_ERR)
datasource.raise_for_access()
- return json_success(json.dumps(datasource.data))
+ return json_success(json.dumps(sanitize_datasource_data(datasource.data)))
@has_access_api
@event_logger.log_this
diff --git a/superset/views/datasource/views.py b/superset/views/datasource/views.py
index 2b5ed89..e2cb204 100644
--- a/superset/views/datasource/views.py
+++ b/superset/views/datasource/views.py
@@ -51,6 +51,7 @@ from superset.views.datasource.schemas import (
ExternalMetadataSchema,
get_external_metadata_schema,
)
+from superset.views.utils import sanitize_datasource_data
class Datasource(BaseSupersetView):
@@ -123,7 +124,7 @@ class Datasource(BaseSupersetView):
data = orm_datasource.data
db.session.commit()
- return self.json_response(data)
+ return self.json_response(sanitize_datasource_data(data))
@expose("/get/<datasource_type>/<datasource_id>/")
@has_access_api
@@ -133,7 +134,7 @@ class Datasource(BaseSupersetView):
datasource = ConnectorRegistry.get_datasource(
datasource_type, datasource_id, db.session
)
- return self.json_response(datasource.data)
+ return self.json_response(sanitize_datasource_data(datasource.data))
@expose("/external_metadata/<datasource_type>/<datasource_id>/")
@has_access_api
diff --git a/superset/views/utils.py b/superset/views/utils.py
index 035f332..15b312d 100644
--- a/superset/views/utils.py
+++ b/superset/views/utils.py
@@ -61,6 +61,15 @@ if not app.config["ENABLE_JAVASCRIPT_CONTROLS"]:
REJECTED_FORM_DATA_KEYS = ["js_tooltip", "js_onclick_href", "js_data_mutator"]
+def sanitize_datasource_data(datasource_data: Dict[str, Any]) -> Dict[str, Any]:
+ if datasource_data:
+ datasource_database = datasource_data.get("database")
+ if datasource_database:
+ datasource_database["parameters"] = {}
+
+ return datasource_data
+
+
def bootstrap_user_data(user: User, include_perms: bool = False) -> Dict[str, Any]:
if user.is_anonymous:
payload = {}