Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

chore: block unsafe functions #19537

Merged
merged 1 commit into from
Apr 5, 2022
Merged

chore: block unsafe functions #19537

merged 1 commit into from
Apr 5, 2022

Conversation

betodealmeida
Copy link
Member

@betodealmeida betodealmeida commented Apr 5, 2022
edited
Loading

SUMMARY

Add pre-commit hook to disallow unsafe functions like make_url.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Apr 5, 2022
edited
Loading

Codecov Report

Merging #19537 (f92d20e) into master (f64d654) will decrease coverage by 0.19%.
The diff coverage is 62.50%.

❗ Current head f92d20e differs from pull request most recent head b9049a5. Consider uploading reports for the commit b9049a5 to get more accurate results

@@            Coverage Diff             @@
##           master   #19537      +/-   ##
==========================================
- Coverage   66.59%   66.40%   -0.20%     
==========================================
  Files        1682     1682              
  Lines       64302    64311       +9     
  Branches     6554     6559       +5     
==========================================
- Hits        42824    42706     -118     
- Misses      19777    19904     +127     
  Partials     1701     1701
Flag Coverage Δ
hive ?
mysql 81.90% <100.00%> (ø)
postgres 81.95% <100.00%> (ø)
presto ?
python 82.00% <100.00%> (-0.40%) ⬇️
sqlite ?
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...c/views/CRUD/data/database/DatabaseModal/index.tsx 32.79% <ø> (ø)
superset-frontend/src/views/CRUD/hooks.ts 46.36% <0.00%> (-0.80%) ⬇️
...rset-frontend/src/explore/components/SaveModal.tsx 66.19% <100.00%> (+2.01%) ⬆️
superset/databases/utils.py 80.95% <100.00%> (ø)
superset/db_engines/hive.py 0.00% <0.00%> (-85.19%) ⬇️
superset/db_engine_specs/hive.py 70.11% <0.00%> (-15.71%) ⬇️
superset/connectors/sqla/utils.py 89.13% <0.00%> (-5.44%) ⬇️
superset/db_engine_specs/sqlite.py 91.89% <0.00%> (-5.41%) ⬇️
superset/db_engine_specs/presto.py 83.64% <0.00%> (-5.39%) ⬇️
superset/utils/celery.py 86.20% <0.00%> (-3.45%) ⬇️
... and 11 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f64d654...b9049a5. Read the comment docs.

@pull-request-size pull-request-size bot added size/S and removed size/XS labels Apr 5, 2022
@betodealmeida betodealmeida requested a review from a team as a code owner April 5, 2022 20:05
craig-rueda
craig-rueda approved these changes Apr 5, 2022
View reviewed changes
superset/databases/utils.py
@@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
:return:
"""
try:
return make_url(raw_url.strip())
return make_url(raw_url.strip()) # noqa
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a pretty easy way to get around this filter :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shhh, it's secret!

@betodealmeida betodealmeida merged commit 1b4d8dd into apache:master Apr 5, 2022
philipher29 pushed a commit to ValtechMobility/superset that referenced this pull request Jun 9, 2022
@betodealmeida @philipher29
chore: blacklist unsafe functions (apache#19537)
12ebf65
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 2.0.0 labels Mar 13, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@craig-rueda craig-rueda craig-rueda approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S 🚢 2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@betodealmeida @craig-rueda @mistercrunch