rusackas opened a new pull request, #40626:
URL: https://github.com/apache/superset/pull/40626
### SUMMARY
In `superset-websocket`, `getLastId` returned the raw `last_id` query
parameter, which is then passed to `incrementId` and used as the start of a
Redis stream range read during the client reconnection flow. Malformed values
like `last_id=abc-xyz` produced ids such as `abc-NaN`. Redis handles these
gracefully and a client can only read its own channel's stream, so the impact
is limited — but no positive validation enforced the expected format.
This adds validation: `last_id` must match the Redis stream ID format
`/^\d{1,15}-\d{1,10}$/` (`<millisecondsTime>-<sequence>`); anything else is
ignored (returns `null`), so malformed input is no longer processed.
### TESTING INSTRUCTIONS
```
cd superset-websocket
npm ci
npm test
```
New tests:
- `getLastId`: returns `null` when absent, returns well-formed IDs, and
returns `null` for a range of malformed inputs (`abc-xyz`, missing parts,
injection-like suffixes, extra segments).
- `wsConnection`: a malformed `last_id` does not trigger a stream range
fetch.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
