bito-code-review[bot] commented on code in PR #40632:
URL: https://github.com/apache/superset/pull/40632#discussion_r3345684361
##########
superset/charts/data/api.py:
##########
@@ -616,6 +616,13 @@ def _get_data_response(
def _extract_export_params_from_request(self) -> tuple[str | None, int |
None]:
"""Extract filename and expected_rows from request for streaming
exports."""
filename = request.form.get("filename")
+ if filename:
+ # Sanitize the user-supplied filename before it is used in the
+ # Content-Disposition header (consistent with the generated-name
+ # path). secure_filename may reduce a name consisting entirely of
+ # unsupported characters to an empty string, in which case fall
back
+ # to the generated default downstream.
+ filename = secure_filename(filename) or None
Review Comment:
<div>
<div id="suggestion">
<div id="issue"><b>CWE-22: Path Traversal Unchecked Downstream</b></div>
<div id="fix">
The `filename` is sanitized correctly before use in `Content-Disposition`.
However, the same unsanitized pattern exists in `superset/sqllab/api.py` at
line 395 — the raw `filename` from `request.form` is passed directly to
`_create_streaming_csv_response` and used unescaped at line 437. Apply the same
`secure_filename` guard there. (See also:
[CWE-22](https://cwe.mitre.org/data/definitions/22.html))
</div>
</div>
<small><i>Code Review Run #b85606</i></small>
</div>
---
Should Bito avoid suggestions like this for future reviews? (<a
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
- [ ] Yes, avoid them
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
