codeant-ai-for-open-source[bot] commented on PR #38777:
URL: https://github.com/apache/superset/pull/38777#issuecomment-4101320648
## **Sequence Diagram**
This PR updates documentation to clarify that server side Jinja templating
can lead to remote code execution when edit permissions are given to untrusted
users. It also highlights that url_param values are injected raw and recommends
an allowlist pattern before SQL execution.
```mermaid
sequenceDiagram
participant Admin
participant Editor
participant Viewer
participant Superset
participant Database
Admin->>Superset: Enable template processing only for trusted editors
Editor->>Superset: Create SQL template with url_param handling
Viewer->>Superset: Open chart with URL parameter
Superset->>Superset: Render Jinja on server using raw url_param value
alt Allowlist applied in template
Superset->>Database: Execute SQL with validated parameter
else No allowlist
Superset->>Database: Execute SQL with user controlled input
end
Database-->>Superset: Return query result
Superset-->>Viewer: Return chart data
```
---
*Generated by [CodeAnt AI](https://codeant.ai)*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
