rusackas opened a new pull request, #40637: URL: https://github.com/apache/superset/pull/40637
### SUMMARY Two small, resource-bound hardening fixes to keep upload and pagination paths bounded. **1. ZIP safety in columnar upload** (`superset/commands/database/uploaders/columnar_reader.py`) The ZIP branch of `ColumnarReader._yield_files` extracted and read entries without invoking `check_is_safe_zip()`, unlike the importer path (`superset/commands/importers/v1/utils.py`). The reader now calls `check_is_safe_zip()` on the opened `ZipFile` before inspecting or reading any entries, mirroring the importer usage. As in the importer, an unsafe archive surfaces as `SupersetException` (e.g. "Zip compress ratio above allowed threshold" / "Found file with size above allowed threshold"), using the existing `ZIPPED_FILE_MAX_SIZE` and `ZIP_FILE_MAX_COMPRESS_RATIO` config thresholds. **2. Upper bound on DAO page size** (`superset/daos/base.py`) `BaseDAO.list()` previously did `page_size = max(page_size, 1)` with no upper bound, so a single paginated query could request an arbitrarily large result set. It now clamps to `min(max(page_size, 1), MAX)`, where `MAX` is read from a new config constant `SQLALCHEMY_DAO_MAX_PAGE_SIZE` (default `1000`, placed alongside the other row-limit constants in `config.py`). Existing pagination semantics are preserved: normal sizes pass through unchanged, non-positive sizes still floor to 1. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A ### TESTING INSTRUCTIONS Unit tests (no DB required): ``` python -m pytest tests/unit_tests/commands/databases/columnar_reader_test.py tests/unit_tests/dao/base_dao_test.py -q ``` - Columnar reader: added `test_columnar_reader_unsafe_zip_rejected` and `test_columnar_reader_unsafe_zip_rejected_in_metadata`, which build a high-compression-ratio ZIP and assert it is rejected. Existing reader/zip tests still pass. - DAO: added `test_list_page_size_oversized_is_clamped` (oversized clamps to the configured max), `test_list_page_size_normal_unaffected` (in-range passes through), and `test_list_page_size_below_one_is_floored` (non-positive floors to 1). ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
