This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch fix/dynamic-method-call-and-redos in repository https://gitbox.apache.org/repos/asf/superset.git
commit 2824fecf75bd1a9ca2e45b3e9d7ec09cc5bc914c Author: Claude Code <[email protected]> AuthorDate: Fri May 29 23:08:40 2026 -0700 fix(security): guard dynamic dispatch and bound a regex quantifier Addresses the remaining high-severity CodeQL findings: - In the async-event middleware, only dispatch to a listener that is an own, registered entry of the lookup map (guard the dynamic property access with an own-property check) so a server-supplied job id cannot resolve to an inherited object method. - Bound the digit quantifiers in the boxplot percentile pattern, which only ever matches values in the 0-100 range, so the expression cannot backtrack on pathological input. Co-Authored-By: Claude Opus 4.8 <[email protected]> --- .../superset-ui-chart-controls/src/operators/boxplotOperator.ts | 2 +- superset-frontend/src/middleware/asyncEvent.ts | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts b/superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts index 8a4b4f09570..bb8fd03b849 100644 --- a/superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts +++ b/superset-frontend/packages/superset-ui-chart-controls/src/operators/boxplotOperator.ts @@ -25,7 +25,7 @@ import { } from '@superset-ui/core'; import { PostProcessingFactory } from './types'; -const PERCENTILE_REGEX = /(\d+)\/(\d+) percentiles/; +const PERCENTILE_REGEX = /(\d{1,3})\/(\d{1,3}) percentiles/; export const boxplotOperator: PostProcessingFactory<PostProcessingBoxplot> = ( formData, diff --git a/superset-frontend/src/middleware/asyncEvent.ts b/superset-frontend/src/middleware/asyncEvent.ts index 08fbdecf4ca..4fe60d2a4a9 100644 --- a/superset-frontend/src/middleware/asyncEvent.ts +++ b/superset-frontend/src/middleware/asyncEvent.ts @@ -143,7 +143,12 @@ const setLastId = (asyncEvent: AsyncEvent) => { export const processEvents = async (events: AsyncEvent[]) => { events.forEach((asyncEvent: AsyncEvent) => { const jobId = asyncEvent.job_id; - const listener = listenersByJobId[jobId]; + const listener = Object.prototype.hasOwnProperty.call( + listenersByJobId, + jobId, + ) + ? listenersByJobId[jobId] + : undefined; if (listener) { listener(asyncEvent); delete retriesByJobId[jobId];
