sha174n opened a new pull request, #40982:
URL: https://github.com/apache/superset/pull/40982
### SUMMARY
Two coupled changes to the chart-data query path:
1. `QueryContextProcessor.raise_for_access` now performs the datasource
access
check before validating the queries. Query validation renders the
request's
filter expressions through the template processor, so the access decision
runs first and caller-supplied input is not rendered for a resource the
caller is not allowed to access.
2. The `metric` macro is bound through a closure rather than positional
args, so
it does not expose the template environment through its public `partial`
args, and the sandboxed environment denies attribute access to the base
environment/template classes and to the internals of `partial` objects.
Calling the macros is unaffected.
### TESTING INSTRUCTIONS
```
pytest tests/unit_tests/jinja_context_test.py
pytest tests/unit_tests/common/test_query_context_processor.py
```
New unit tests: access is checked before query validation; the `metric` macro
does not expose its environment; and the sandbox denies the relevant
attributes.
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
