Re: [PR] fix(deckgl): emit usable cross-filter values from polygon and geojson clicks [superset]

[via GitHub]

bito-code-review[bot] commented on code in PR #39906:
URL: https://github.com/apache/superset/pull/39906#discussion_r3194637132


##########
superset-frontend/plugins/preset-chart-deckgl/src/utils/crossFiltersDataMask.ts:
##########
@@ -436,6 +478,40 @@ const getGeojsonFilters = ({
   formData: LayerFormData;
   data: PickingInfo;
 }): FilterResult => {
+  // Preferred path: emit on a property of the picked GeoJSON Feature.
+  if (formData.cross_filter_column) {
+    const col = formData.cross_filter_column;
+    const properties = (data.object?.properties ?? {}) as Record<
+      string,
+      unknown
+    >;
+    const dimensionVal = properties[col] as

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>CWE-1321: Object injection vulnerability in GeoJSON 
properties access</b></div>
   <div id="fix">
   
   Dynamic property access on `properties` object using `col` variable (line 
488) creates a Generic Object Injection vulnerability 
([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)). This is a 
similar issue to line 424. Validate the `cross_filter_column` value before 
using it as an object key to prevent prototype pollution attacks.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ```
    -    const dimensionVal = properties[col] as
    +    // Validate column name to prevent object injection
    +    if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(col)) {
    +      console.warn(`Invalid column name: ${col}`);
    +      // Fall through to legacy path
    +    } else {
    +      const dimensionVal = properties[col] as
           | string
           | number
           | boolean
           | null
           | undefined;
    +    }
       }
   ```
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #7bad6c</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



##########
superset-frontend/plugins/preset-chart-deckgl/src/utils/crossFiltersDataMask.ts:
##########
@@ -408,11 +409,52 @@ const getLineColumnFilters = ({
   data: PickingInfo;
 }): FilterResult => {
   const path = (data?.object?.path || data.object?.polygon) as string;
-  const val = JSON.stringify(path);
 
   if (!formData.line_column) throw new Error('Line column is required');
   if (!path) throw new Error('Position of picked data is required');
 
+  // Preferred path: emit on a dimension column the user selected. The value
+  // can land either directly on the picked feature (groupby/excluded keys are
+  // spread by addPropertiesToFeature) or under extraProps when it overlaps
+  // with js_columns (addJsColumnsToExtraProps).
+  if (formData.cross_filter_column) {
+    const col = formData.cross_filter_column;
+    const obj = data.object ?? {};
+    const extraProps = (obj.extraProps ?? {}) as Record<string, unknown>;
+    const dimensionVal = (obj[col] ?? extraProps[col]) as

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>CWE-1321: Object injection vulnerability via dynamic 
property access</b></div>
   <div id="fix">
   
   Dynamic property access on `obj` and `extraProps` using user-controlled 
`col` variable (lines 424) creates a Generic Object Injection vulnerability 
([CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)). Similar issues 
exist at line 488. Validate or sanitize the `cross_filter_column` value before 
using it as an object key.
   </div>
   
   
   <details>
   <summary>
   <b>Code suggestion</b>
   </summary>
   <blockquote>Check the AI-generated fix before applying</blockquote>
   <div id="code">
   
   
   ```
    -    const dimensionVal = (obj[col] ?? extraProps[col]) as
    +    // Validate column name to prevent object injection
    +    if (!/^[a-zA-Z_][a-zA-Z0-9_]*$/.test(col)) {
    +      console.warn(`Invalid column name: ${col}`);
    +      // Fall through to legacy path
    +    } else {
    +      const dimensionVal = (obj[col] ?? extraProps[col]) as
           | string
           | number
           | boolean
           | null
           | undefined;
    +    }
       }
   ```
   
   </div>
   </details>
   
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #7bad6c</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org