sha174n opened a new pull request, #39995:
URL: https://github.com/apache/superset/pull/39995
### SUMMARY
The shillelagh URI blocklist in `analytics_db_safety.py` used two separate
patterns (`shillelagh$` and `shillelagh\+apsw$`) that only matched the bare
driver and one specific variant. Other driver suffixes such as `+csv`, `+json`,
and `+gsheets` were not matched, allowing those URIs to bypass the blocklist
check.
This PR replaces both patterns with a single regex
`shillelagh(?:\+[^\s]*)?$` that blocks `shillelagh` regardless of the driver
suffix, consistent with how the existing `sqlite` pattern already handles all
its variants via `sqlite(?:\+[^\s]*)?$`.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
### TESTING INSTRUCTIONS
1. Run the updated integration test:
```bash
pytest tests/integration_tests/security/analytics_db_safety_tests.py -v
```
All 15 test cases should pass, including the new `shillelagh+csv`,
`shillelagh+json`, and `shillelagh+gsheets` variants.
2. Attempt to create a database connection with `sqlalchemy_uri:
shillelagh+csv:///etc/passwd` via the API — should return a 422 error, not 201.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
