rusackas opened a new issue, #40953: URL: https://github.com/apache/superset/issues/40953
### Follow-up from #40648 #40648 added `raise_for_access(chart=...)` to the query_context-only chart update path, closing the path where a user with broad `can_write Chart` could overwrite `query_context` on a chart they don't own. A residual gap remains (pre-existing, intentionally left out of #40648 to keep its scope tight, per [review discussion](https://github.com/apache/superset/pull/40648#issuecomment-4673015711)): **`superset/commands/chart/update.py` (~line 144)** — nothing validates that the incoming `query_context.datasource` references the chart's *own* `datasource_id`. A non-owner who *does* have access to some datasource can still overwrite a sibling chart's stored `query_context` with an arbitrary payload pointing at a different datasource. Because report/alert executors later run the stored `query_context` with their broader permissions, a poisoned payload could be replayed under elevated context. ### Proposed fix On the query_context-only update path, validate that the payload's `datasource` matches the chart's persisted `datasource_id` (and type) before saving — reject with a 4xx otherwise — rather than relying solely on the caller's datasource access. ### Notes - Scope: `UpdateChartCommand.validate()` / the query_context branch. - Pre-dates #40648; that PR added the chart-access gate but deliberately did not widen scope to payload-datasource validation. cc reporter context: surfaced by richardfogaca's review on #40648. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
