rusackas opened a new pull request, #40624:
URL: https://github.com/apache/superset/pull/40624
### SUMMARY
`simpleFilterToWhereClause` in
`plugins/plugin-chart-ag-grid-table/src/utils/agGridFilterConverter.ts` builds
WHERE-clause fragments from the AG Grid filter model. The `IN_RANGE`
(`BETWEEN`) branch interpolated both bounds **directly** into the SQL string:
```ts
return `${columnName} ${SQL_OPERATORS.BETWEEN} ${value} AND ${filterTo}`;
```
This is inconsistent with the other branches (ILIKE / string comparisons)
which escape via `escapeSQLString`. The bounds come from the filter model,
which is client-controlled and serialized into the query (it feeds the raw
`extras.where` path), and `filterTo` was never passed through
`validateFilterValue` at all — so a manipulated filter model could inject SQL
fragments through the range bounds. Practical exploitability is limited because
the normal AG Grid number UI produces numeric values, but it's a real gap in
the escaping coverage.
Fix: coerce both bounds with `Number()` and emit the `BETWEEN` clause only
when both are finite; otherwise drop the condition. Numeric strings from
serialized filter state still work, and non-numeric input can no longer be
concatenated as raw SQL. Date ranges are unaffected — they're handled
separately in `dateFilterToWhereClause` and normalized through
`Date.toISOString()`.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — WHERE-clause generation.
### TESTING INSTRUCTIONS
```
cd superset-frontend
npm run test --
plugins/plugin-chart-ag-grid-table/test/utils/agGridFilterConverter.test.ts
```
Added to the existing "SQL injection prevention" suite:
- a compound `inRange` filter with a SQL payload in the bounds is dropped
(payload never reaches `complexWhere`),
- numeric and numeric-string bounds still produce the expected `BETWEEN 18
AND 65` clause.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
