rusackas opened a new pull request, #40636: URL: https://github.com/apache/superset/pull/40636
### SUMMARY Two small, self-contained hardening fixes in `superset/viz.py`. **1. Gate the error-payload stacktrace behind `SHOW_STACKTRACE`** `BaseViz.get_df_payload()` previously assigned a raw stacktrace to the error payload in its generic-exception handler. This now only happens when `current_app.debug` is set or the `SHOW_STACKTRACE` config flag is truthy, matching the gating already used elsewhere in the codebase (`superset.views.base.get_error_msg` and `superset.utils.core.get_stacktrace`). This keeps stacktrace exposure consistent and opt-in across the app. **2. Allowlist for `resample_method`** `NVD3TimeSeriesViz.process_data()` invokes a user-supplied `resample_method` dynamically via `getattr(df.resample(rule), method)()`. The method name is now validated against an allowlist of known pandas `Resampler` aggregations (`asfreq`, `bfill`, `count`, `ffill`, `first`, `last`, `max`, `mean`, `median`, `min`, `std`, `sum`, `var`) before the dynamic dispatch, raising `QueryObjectValidationError` for anything outside the set. This mirrors the existing `apply_rolling` validation pattern. The allowlist is a superset of the methods offered by the control-panel UI (which is free-form), so no valid user-facing behavior changes. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend-only change. ### TESTING INSTRUCTIONS New unit tests in `tests/unit_tests/test_viz_get_df_payload.py`: - stacktrace hidden when `SHOW_STACKTRACE` is off; present when on - resample with an unknown method raises `QueryObjectValidationError` - resample with an allowlisted method (`mean`) succeeds Run: ``` python -m pytest tests/unit_tests/test_viz_get_df_payload.py -q ``` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
