This is an automated email from the ASF dual-hosted git repository.
beto pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/superset.git
The following commit(s) were added to refs/heads/master by this push:
new 1b4d8ddf71 chore: blacklist unsafe functions (#19537)
1b4d8ddf71 is described below
commit 1b4d8ddf7103f3fa18683a0f23dff6d532ad7efa
Author: Beto Dealmeida <[email protected]>
AuthorDate: Tue Apr 5 14:55:30 2022 -0700
chore: blacklist unsafe functions (#19537)
---
.pre-commit-config.yaml | 6 ++++++
superset/databases/utils.py | 2 +-
superset/migrations/versions/620241d1153f_update_time_grain_sqla.py | 4 ++--
superset/migrations/versions/b8d3a24d9131_new_dataset_models.py | 4 ++--
4 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 2429a0153f..b43e10c2cb 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -51,3 +51,9 @@ repos:
- id: prettier
args: ['--ignore-path=./superset-frontend/.prettierignore']
files: 'superset-frontend'
+ # blacklist unsafe functions like make_url (see #19526)
+ - repo: https://github.com/skorokithakis/blacklist-pre-commit-hook
+ rev: e2f070289d8eddcaec0b580d3bde29437e7c8221
+ hooks:
+ - id: blacklist
+ args: ["--blacklisted-names=make_url", "--ignore=tests/"]
diff --git a/superset/databases/utils.py b/superset/databases/utils.py
index cf54f6da6a..5d22e5fe5c 100644
--- a/superset/databases/utils.py
+++ b/superset/databases/utils.py
@@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
:return:
"""
try:
- return make_url(raw_url.strip())
+ return make_url(raw_url.strip()) # noqa
except Exception:
raise DatabaseInvalidError() # pylint: disable=raise-missing-from
diff --git
a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
index 560b6106f4..97bea8f9d1 100644
--- a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
+++ b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
@@ -30,10 +30,10 @@ import json
from alembic import op
from sqlalchemy import Column, ForeignKey, Integer, Text
-from sqlalchemy.engine.url import make_url
from sqlalchemy.ext.declarative import declarative_base
from superset import db, db_engine_specs
+from superset.databases.utils import make_url_safe
from superset.utils.memoized import memoized
Base = declarative_base()
@@ -46,7 +46,7 @@ class Database(Base):
sqlalchemy_uri = Column(Text)
def grains(self):
- url = make_url(self.sqlalchemy_uri)
+ url = make_url_safe(self.sqlalchemy_uri)
backend = url.get_backend_name()
db_engine_spec = db_engine_specs.engines.get(
backend, db_engine_specs.BaseEngineSpec
diff --git a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
index 75f5293034..533f8a9fdc 100644
--- a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
+++ b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
@@ -31,7 +31,6 @@ from uuid import uuid4
import sqlalchemy as sa
from alembic import op
from sqlalchemy import and_, inspect, or_
-from sqlalchemy.engine.url import make_url
from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.orm import backref, relationship, Session
from sqlalchemy.schema import UniqueConstraint
@@ -39,6 +38,7 @@ from sqlalchemy_utils import UUIDType
from superset import app, db
from superset.connectors.sqla.models import ADDITIVE_METRIC_TYPES
+from superset.databases.utils import make_url_safe
from superset.extensions import encrypted_field_factory
from superset.migrations.shared.utils import extract_table_references
from superset.models.core import Database as OriginalDatabase
@@ -323,7 +323,7 @@ def after_insert(target: SqlaTable) -> None: # pylint:
disable=too-many-locals
)
if not database:
return
- url = make_url(database.sqlalchemy_uri)
+ url = make_url_safe(database.sqlalchemy_uri)
dialect_class = url.get_dialect()
conditional_quote = dialect_class().identifier_preparer.quote
