hainenber opened a new pull request, #40562: URL: https://github.com/apache/superset/pull/40562
Potential fix for [https://github.com/apache/superset/security/code-scanning/2230](https://github.com/apache/superset/security/code-scanning/2230) General fix: constrain untrusted path/root data before using it to build navigable URLs. Specifically, ensure application root is always a safe relative path (starts with `/`, no schemes, no protocol-relative `//`), and fall back to `/` when invalid. Best targeted fix (no functionality change): harden `normalizePathWithFallback` in `superset-frontend/src/utils/getBootstrapData.ts` so `applicationRoot()` and `staticAssetsPrefix()` are normalized to safe root-relative paths only. This removes dangerous inputs at the shared source and fixes all downstream usages, including `makeUrl()` and `DatasourceEditor` `href`. Changes needed: - In `getBootstrapData.ts`, replace the simple trailing-slash normalization with validation that: - trims whitespace, - rejects scheme/protocol-relative values, - enforces leading `/`, - collapses repeated slashes, - strips trailing slash (except `/`), - falls back safely if invalid. - No new imports or dependencies required. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
