Re: [PR] fix(ag-grid-table): validate numeric bounds in IN_RANGE filter clause [superset]

Tue, 02 Jun 2026 08:30:44 -0700 


bito-code-review[bot] commented on code in PR #40624:
URL: https://github.com/apache/superset/pull/40624#discussion_r3342430737


##########
superset-frontend/plugins/plugin-chart-ag-grid-table/test/utils/agGridFilterConverter.test.ts:
##########
@@ -771,6 +771,57 @@ describe('agGridFilterConverter', () => {
       // Should reject column names longer than 255 characters
       expect(result.simpleFilters).toHaveLength(0);
     });
+
+    test('should drop inRange bounds that are not numeric', () => {
+      const filterModel: AgGridFilterModel = {
+        age: {
+          filterType: 'number',
+          operator: 'AND',
+          condition1: {
+            filterType: 'number',
+            type: 'inRange',
+            filter: '0 AND 1=1--',
+            filterTo: '100',
+          },
+          condition2: {
+            filterType: 'number',
+            type: 'greaterThan',
+            filter: 5,
+          },
+        } as AgGridCompoundFilter,
+      };
+
+      const result = convertAgGridFiltersToSQL(filterModel);
+
+      // The malicious range condition is dropped, so its payload never reaches
+      // the WHERE clause; the sibling numeric condition is unaffected.
+      expect(result.complexWhere ?? '').not.toContain('1=1');
+      expect(result.complexWhere ?? '').not.toContain('BETWEEN');

Review Comment:
   <!-- Bito Reply -->
   The update to the test assertion is appropriate. By directly asserting 
`expect(result.complexWhere).toBe('age > 5')`, the test now explicitly verifies 
that the sibling condition is preserved and correctly formatted, addressing the 
concern that the previous assertion only checked for the absence of the 
malicious payload.
   
   
**superset-frontend/plugins/plugin-chart-ag-grid-table/test/utils/agGridFilterConverter.test.ts**
   ```
   // The malicious range condition is dropped, so its payload never reaches
         // the WHERE clause; the sibling numeric condition is unaffected.
         expect(result.complexWhere ?? '').not.toContain('1=1');
         expect(result.complexWhere ?? '').not.toContain('BETWEEN');
         expect(result.complexWhere).toBe('age > 5');
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to