You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2019/07/01 22:41:45 UTC
[GitHub] [incubator-superset] mistercrunch commented on a change in pull
request #7808: handle SQL injection in the custom where clause for superset
visualization queries
mistercrunch commented on a change in pull request #7808: handle SQL injection in the custom where clause for superset visualization queries
URL: https://github.com/apache/incubator-superset/pull/7808#discussion_r299243621
##########
File path: superset/utils/core.py
##########
@@ -1095,12 +1098,27 @@ def split_adhoc_filters_into_base_filters(fd):
sql_where_filters.append(adhoc_filter.get('sqlExpression'))
elif clause == 'HAVING':
sql_having_filters.append(adhoc_filter.get('sqlExpression'))
+
+ if (sql_where_filters and validate(sql_where_filters)) or (simple_where_filters and validate(simple_where_filters)):
+ raise Exception(_('Invalid query filters defined.'))
+
fd['where'] = ' AND '.join(['({})'.format(sql) for sql in sql_where_filters])
fd['having'] = ' AND '.join(['({})'.format(sql) for sql in sql_having_filters])
fd['having_filters'] = simple_having_filters
fd['filters'] = simple_where_filters
+def validate(customClause):
+ """Validates if the custom where clause contains a word matching the list of pre-defined bad characters"""
+ tempList = split(customClause)
+ return any(word in tempList for word in BAD_CHARACTER_LIST)
+
+
+def split(customClause):
Review comment:
no camel case
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org