rusackas opened a new pull request, #40546: URL: https://github.com/apache/superset/pull/40546
### SUMMARY Resolves a batch of CodeQL static-analysis findings: - **URL sinks (9):** route user/DOM-derived URLs through `@braintree/sanitize-url` before they reach navigation (`window.location`) and anchor `href` sinks, so only safe URL schemes are followed. Applied at the shared helpers where possible (`parseUrl`, `navigateTo`) and at the remaining call sites (SQL Lab export/save, datasource editor, generic link, DB modal docs link, list-view card, client form action). - **Log hygiene (2):** drop connection-host details from two informational log lines in the MCP Redis storage helper, since the value was derived from a credential-bearing connection URL. Adds `@braintree/sanitize-url` (the de-facto standard URL sanitizer) as a dependency of the frontend app and of `@superset-ui/core`. ### TESTING INSTRUCTIONS - [ ] CI passes (frontend lint/type-check/build, Python checks) - [ ] Existing links/navigation continue to work (safe URLs pass through the sanitizer unchanged; relative URLs are unaffected) - [ ] The relevant CodeQL alerts no longer appear after the next scan ### ADDITIONAL INFORMATION - [ ] Has associated issue: addresses code-scanning alerts - [ ] Required feature flags: n/a - [ ] Changes UI: No (behavior preserved for valid URLs) - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
