[PR] fix(dashboard): validate native-filter data requests against filter targets [superset]

Thu, 11 Jun 2026 10:27:15 -0700 


sha174n opened a new pull request, #40979:
URL: https://github.com/apache/superset/pull/40979

   ### SUMMARY
   
   A dashboard native-filter data request has no associated chart, so the
   query_context check that keeps embedded requests aligned with the dashboard
   was not validating the request's columns/metrics for that path. It now
   resolves the requesting dashboard's native filter (by native_filter_id) and
   constrains the request to that filter's targets on the targeted dataset:
   
   - columns and group-by must reference one of the filter's target columns;
   - metrics and order-by terms must be a target column, the filter's configured
     sort metric (controlValues.sortMetric), or a simple aggregate over a target
     column;
   - free-form SQL terms and other saved metrics are rejected, and a request 
that
     cannot be tied to a native filter fails closed.
   
   Legitimate value, range (MIN/MAX over the target) and sort-by-metric lookups
   are unaffected. Row-restricting clauses (filter/extras) are intentionally not
   constrained here: cross-filters legitimately reference other columns and they
   return no column values; that surface is shared with the chart path.
   
   ### TESTING INSTRUCTIONS
   
   pytest tests/unit_tests/security/manager_test.py -k native_filter
   
   New unit tests cover: target column allowed, arbitrary column blocked, simple
   aggregate over target allowed, configured sort metric allowed, arbitrary 
saved
   metric blocked, adhoc column/metric blocked, order-by column/adhoc, and a
   request with no filter context failing closed.
   
   ### ADDITIONAL INFORMATION
   - [ ] Has associated issue:
   - [ ] Changes UI
   - [ ] Includes DB Migration
   - [ ] Introduces new feature or API
   - [ ] Removes existing feature or API
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to