aminghadersohi opened a new pull request, #40689:
URL: https://github.com/apache/superset/pull/40689
### SUMMARY
The `find_users` MCP tool built its LIKE needle without escaping SQL LIKE
metacharacters:
```python
needle = f"%{request.query.strip()}%"
```
A caller passing `query="%"` produced `needle="%%"` which matched every user
via `ILIKE '%%'`. Similarly `query="_"` matched any single-character
username/name. The `_reject_blank_query` validator correctly blocked empty
strings but `%` and `_` are single non-whitespace characters that passed all
validators.
This directly contradicted the docstring's claim that "this tool does not
enumerate the full user directory."
**Fix:** Escape `\`, `%`, and `_` before building the needle and pass
`escape="\\"` to each `ilike()` call so the database treats them as literals:
```python
escaped = (
request.query
.replace("\\", "\\\\")
.replace("%", "\\%")
.replace("_", "\\_")
)
needle = f"%{escaped}%"
```
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only change.
### TESTING INSTRUCTIONS
1. Run the unit tests: `pytest
tests/unit_tests/mcp_service/system/tool/test_find_users.py -v`
2. Three new tests verify wildcard escaping:
`test_find_users_escapes_percent_wildcard`,
`test_find_users_escapes_underscore_wildcard`,
`test_find_users_escapes_backslash`
3. All existing tests continue to pass.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
