aminghadersohi opened a new pull request, #39915: URL: https://github.com/apache/superset/pull/39915
### Summary Addresses validation rigidity in the `generate_chart` MCP tool that caused unnecessary failures when using valid but unconventionally-named columns. **Changes:** 1. **Relax column name regex** — Remove the `pattern=r"^[a-zA-Z0-9_][a-zA-Z0-9_\s\-\.]*$"` constraint from `ColumnRef.name`, `FilterConfig.column`, and `BigNumberChartConfig.temporal_column`. Many real-world column names (digit-prefixed like `1Q_revenue`, hyphenated like `order-date`) were silently rejected with cryptic pydantic errors. The existing `sanitize_name()` / `sanitize_column()` validators already block XSS and SQL injection — the regex added no security value and only hurt usability. 2. **Add `sanitize_temporal_column` validator** — `BigNumberChartConfig.temporal_column` now has a field_validator using `sanitize_user_input` with `check_sql_keywords=True`, matching the protection level of `ColumnRef.sanitize_name`. 3. **Add `check_sql_keywords=True` to `FilterConfig.sanitize_column`** — ensures SQL injection patterns are blocked for filter column names. 4. **Extend docstring examples** — Add `generate_chart` usage examples for all supported chart types: `pie`, `big_number` (with and without trendline), `pivot_table`, `mixed_timeseries`, `handlebars`. Update IMPORTANT section to list all 7 supported chart types. 5. **Improve validation error messages** — Extract `_format_single_error` helper from `_enhance_validation_error` (reduces cyclomatic complexity) and make the fallback produce type-specific, actionable messages for `string_pattern_mismatch`, `missing`, and `value_error` pydantic error types. `literal_error` preserves the original pydantic "Input should be ..." message. 6. **Tests** — New `TestColumnRefNameRelaxedPattern` and `TestFilterConfigColumnRelaxedPattern` classes verify: digit-prefixed and hyphenated column names now pass; script-tag XSS is blocked (nh3 strips to empty, empty-value guard rejects); event-handler injection is blocked; SQL injection is blocked; `FilterConfig` SQL injection is blocked. ### Testing - [ ] Unit tests: `pytest tests/unit_tests/mcp_service/chart/test_chart_schemas.py -x` - [ ] Manual: `generate_chart` with a column named `1Q_revenue` or `order-date` succeeds -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
