github-advanced-security[bot] commented on code in PR #40629:
URL: https://github.com/apache/superset/pull/40629#discussion_r3337768324
##########
tests/integration_tests/embedded/test_view.py:
##########
@@ -48,6 +48,29 @@
uri = f"embedded/{embedded.uuid}"
response = client.get(uri)
assert response.status_code == 200
+ # The bootstrap payload exposes the (empty) allowed-domains list so the
+ # frontend can validate postMessage origins.
+ data = response.data.decode("utf-8")
+ assert "allowed_domains" in data
+
+
[email protected]("load_birth_names_dashboard_with_slices")
[email protected](
+ "superset.extensions.feature_flag_manager._feature_flags",
+ EMBEDDED_SUPERSET=True,
+)
+def test_get_embedded_dashboard_bootstrap_includes_allowed_domains(
+ client: FlaskClient[Any], # noqa: F811
+):
+ dash = db.session.query(Dashboard).filter_by(slug="births").first()
+ embedded = EmbeddedDashboardDAO.upsert(dash,
["https://allowed.example.com";])
+ db.session.flush()
+ uri = f"embedded/{embedded.uuid}"
+ response = client.get(uri, headers={"Referer":
"https://allowed.example.com"})
+ assert response.status_code == 200
+ data = response.data.decode("utf-8")
+ assert "allowed_domains" in data
+ assert "https://allowed.example.com"; in data
Review Comment:
## CodeQL / Incomplete URL substring sanitization
The string [https://allowed.example.com](1) may be at an arbitrary position
in the sanitized URL.
[Show more
details](https://github.com/apache/superset/security/code-scanning/2460)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
