rusackas opened a new pull request, #40640:
URL: https://github.com/apache/superset/pull/40640
### SUMMARY
This PR applies four small, independent schema-hardening fixes:
1. **Guest dataset field filtering** (`superset/dashboards/schemas.py`):
`DashboardDatasetSchema.post_dump` previously removed only `owners` and
`database` for guest users. It now also removes `sql`, `select_star`,
`perm`, `edit_url`, `fetch_values_predicate` and `template_params`, so
guest tokens never receive internal connection or query details. Removal
is guarded with `pop(..., None)` for absent keys.
2. **External URL protocol validation** (`superset/charts/schemas.py`,
`superset/dashboards/schemas.py`): the `external_url` field accepted any
string. A reusable `validate_external_url` validator (in
`superset/utils/schema.py`) now restricts accepted values to
`http`/`https`
schemes, rejecting `javascript:`, `data:`, `vbscript:`, etc. Empty/None
values remain allowed since the field is optional. `external_url` on these
externally-managed objects is always an absolute URL, so requiring an
http(s) scheme is safe.
3. **SSH tunnel credential output-safety** (`superset/databases/schemas.py`):
`password`, `private_key` and `private_key_password` on
`DatabaseSSHTunnel`
are now `load_only=True` — accepted on input but never serialized in
responses. Verified that every response path which surfaces these to the
client does so via explicit masking (`SSHTunnel.data` and
`mask_password_info` in `superset/databases/api.py`), which overwrites or
bypasses the schema's own dump. The masked-placeholder UX is therefore
unaffected; `load_only` only prevents the schema from ever emitting raw
values on its own.
4. **Prophet periods bound** (`superset/charts/schemas.py`):
`ChartDataProphetOptionsSchema.periods` lacked an upper bound. It now
validates `1 <= periods <= MAX_PROPHET_PERIODS`, where the max is read
from
a new `MAX_PROPHET_PERIODS` config (default `10000`, added to
`superset/config.py`). `confidence_interval` already had a bound.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend schema changes only.
### TESTING INSTRUCTIONS
Run the schema unit tests:
```
python -m pytest tests/unit_tests/charts/test_schemas.py \
tests/unit_tests/dashboards/schema_tests.py \
tests/unit_tests/databases/schema_tests.py -q
```
New tests cover: guest filtering removes the new fields (and non-guests keep
them); `external_url` rejects `javascript:`/`data:`/`vbscript:` and accepts
https; prophet `periods` over max and below min raise `ValidationError` while
valid values pass; SSH tunnel credential fields load but never dump.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
