rusackas opened a new pull request, #40660: URL: https://github.com/apache/superset/pull/40660
### SUMMARY `dashboard_permalink` (`superset/views/core.py`) concatenated the `native_filters` URL-param value into the redirect URL **without** URL-encoding, while every other param went through `parse.urlencode`. The code even had a comment "native_filters doesnt need to be encoded here." A permalink whose stored `native_filters` value contained `&`/`#`/`=` could therefore inject additional query parameters into the redirect target, altering the dashboard filter state shown to a victim who opens the permalink (ASVS 1.2.2). Fix: encode all param values uniformly via `parse.urlencode`. Flask URL-decodes them back when reading `request.args`, so legitimate `native_filters` values render identically — the encoding is transparent for valid input and only neutralizes injection. ### TESTING INSTRUCTIONS ``` pytest tests/integration_tests/dashboards/permalink/api_tests.py ``` A permalink whose `native_filters` value contains special characters now appears percent-encoded in the redirect `Location` (no extra params injected). ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
