Re: [PR] fix(mcp): relax column name regex, improve generate_chart validation errors and examples [superset]

Thu, 07 May 2026 15:21:00 -0700 


Copilot commented on code in PR #39915:
URL: https://github.com/apache/superset/pull/39915#discussion_r3205018561


##########
superset/mcp_service/chart/validation/schema_validator.py:
##########
@@ -525,6 +525,38 @@ def _pre_validate_mixed_timeseries_config(
 
         return True, None
 
+    @staticmethod
+    def _format_single_error(err: Dict[str, Any]) -> tuple[str, str]:
+        """Return (detail_message, optional_suggestion) for one pydantic 
error."""
+        loc_parts = [str(p) for p in err.get("loc", [])]
+        loc = " -> ".join(loc_parts)
+        msg = err.get("msg", "Validation failed")
+        err_type = err.get("type", "")
+        field = loc_parts[-1] if loc_parts else "field"
+
+        if err_type == "string_pattern_mismatch":
+            return (
+                f"'{field}' value contains disallowed characters. "
+                "Column names must not contain HTML, script tags, or SQL "
+                "injection patterns. Use the exact column name from your 
dataset.",
+                "Use get_dataset_info to find exact column names",
+            )

Review Comment:
   The `string_pattern_mismatch` branch hard-codes a message about column-name 
security (HTML/script tags/SQL injection), but this error type is generic and 
can apply to any regex/pattern-constrained field. Consider making the message 
pattern/field-specific (e.g., reference the expected format/pattern from err 
ctx) so the feedback isn’t misleading when the mismatch occurs on non-column 
fields.
   



##########
superset/mcp_service/chart/schemas.py:
##########
@@ -743,7 +746,10 @@ class FilterConfig(BaseModel):
         ...,
         min_length=1,
         max_length=255,
-        pattern=r"^[a-zA-Z0-9_][a-zA-Z0-9_\s\-\.]*$",
+        # No regex pattern: sanitize_name() already blocks XSS/SQL injection;

Review Comment:
   The inline comment for `FilterConfig.column` says “sanitize_name() already 
blocks XSS/SQL injection”, but this field is validated by `sanitize_column()`. 
Updating the comment to reference the correct validator would avoid confusion 
when maintaining these security checks.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to