rusackas opened a new pull request, #40634: URL: https://github.com/apache/superset/pull/40634
### SUMMARY Three small, related input-validation gaps in `superset/charts/schemas.py`: 1. **`ChartPutSchema.query_context`** lacked the `validate=utils.validate_json` validator that `ChartPostSchema.query_context` already has. Invalid JSON could be stored on a chart **update** (PUT) and then fail when parsed at render time. Added the validator. `allow_none` and empty values remain valid, matching POST behavior — no regression for null/empty. 2. **`ChartDataProphetOptionsSchema.periods`** documented `"min": 0` in metadata but enforced no actual bound, so an arbitrarily large forecast horizon could be passed straight to Prophet. Added `Range(min=0, max=10000)`. 3. **`ChartDataRollingOptionsSchema.window`** had no bound. Added `Range(min=1, max=10000)`, consistent with the downstream `window > 0` requirement in the rolling post-processor. (2) and (3) bound user-supplied values that flow into Prophet/rolling computations, reducing a resource-exhaustion surface for authenticated users. `confidence_interval` already had a correct `Range(0, 1)` and was left unchanged. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/charts/test_schemas.py ``` New tests: PUT `query_context` rejects invalid JSON / accepts valid + null; `periods` rejects negative and oversized values; `window` rejects 0 and oversized values; all accept valid values. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
