rusackas opened a new pull request, #40593: URL: https://github.com/apache/superset/pull/40593
### SUMMARY The Superset Extensions CLI `build`/`bundle` step copies backend files into the distributable bundle based on the `include` glob patterns declared in an extension's `backend/pyproject.toml` (`[tool.apache_superset_extensions.build]`). Previously those patterns were passed directly to `Path.glob()` and every match was copied without confirming it actually lived under the `backend/` directory. Because `Path.glob()` happily evaluates patterns with parent (`..`) components and `Path.relative_to()` compares lexically (it does not resolve `..`), a pattern could select files from outside the intended `backend/` root and stage them into the build output. This change tightens the input handling in `copy_backend_files`: - **Reject** absolute include patterns and any pattern containing `..` path components before they reach `glob()`. - **Boundary-check** every matched file: resolve it and confirm it is inside the (resolved) backend directory before copying. This is defense-in-depth that also covers symlink-based escapes. Both checks raise a clear `ValueError` so a misconfigured or hostile build config fails loudly instead of silently bundling unintended files. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — CLI behavior change. ### TESTING INSTRUCTIONS ``` cd superset-extensions-cli pip install -e ".[test]" pytest tests/test_cli_build.py ``` New tests: - `test_copy_backend_files_rejects_patterns_escaping_backend_dir` — parametrized over patterns that try to escape the backend dir; asserts a `ValueError` and that nothing was staged into `dist/`. - `test_copy_backend_files_supports_legitimate_nested_patterns` — confirms ordinary recursive globs (e.g. `src/**/*.py`) still resolve and copy deeply nested files. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
