[PR] fix(embedded-sdk): validate embedded dashboard id format before use [superset]

Mon, 01 Jun 2026 15:26:36 -0700 


rusackas opened a new pull request, #40592:
URL: https://github.com/apache/superset/pull/40592

   ### SUMMARY
   
   Adds defense-in-depth input validation for the embedded dashboard `id` in 
the embedded SDK before it is used to construct the iframe URL.
   
   The `id` passed to `embedDashboard` is the UUID generated by Superset's 
embed configuration UI (hexadecimal characters and hyphens). A new exported 
helper, `validateEmbeddedDashboardId`, verifies that the `id` matches that 
expected format and throws otherwise. It is called as the first step of 
`embedDashboard`, before the value is interpolated into the iframe `src`.
   
   This is a minor behavior change: a malformed `id` now throws `Error('Invalid 
dashboard id format')` instead of being used as-is. Well-formed UUIDs (the only 
values Superset produces) are unaffected.
   
   Changes:
   - Export `validateEmbeddedDashboardId(id)` and invoke it at the start of 
`embedDashboard`.
   - Add a JSDoc note to the `id` prop documenting the expected format.
   - Add `src/index.test.ts` covering the helper with valid and invalid inputs.
   - Add `jest.config.js` with a `transformIgnorePatterns` entry so the 
`@superset-ui/switchboard` ES module is transformed when importing from 
`./index` in tests.
   
   ### TESTING INSTRUCTIONS
   
   From `superset-embedded-sdk/`:
   
   ```bash
   npm ci
   npm test       # unit tests, including validateEmbeddedDashboardId
   npm run build  # tsc + babel + webpack
   ```
   
   All tests pass and the build succeeds locally. The new test asserts that 
canonical UUIDs and simple hex ids are accepted, and that ids containing 
unexpected characters (e.g. slashes, query/fragment markers, whitespace, empty 
string) throw.
   
   ### ADDITIONAL INFORMATION
   
   - [ ] Has associated issue:
   - [ ] Required feature flags:
   - [ ] Changes UI
   - [ ] Includes DB Migration (follow approval process in 
[SIP-59](https://github.com/apache/superset/issues/13351))
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to