bito-code-review[bot] commented on PR #41294:
URL: https://github.com/apache/superset/pull/41294#issuecomment-4774285466
<!-- Bito Reply -->
The flagged security issue is correct. When performing a partial update that
omits the `tables` field, the current implementation skips the datasource
access check entirely, potentially allowing unauthorized modifications to RLS
rules tied to restricted datasources.
To resolve this, you should ensure that even if `tables` is omitted from the
request, the command validates the existing tables associated with the rule
(`self._model.tables`) against the user's permissions.
Here is a concise fix for `superset/commands/security/update.py`:
```python
if "tables" in self._properties:
tables = (
db.session.query(SqlaTable)
.filter(SqlaTable.id.in_(self._tables)) # type:
ignore[attr-defined]
.all()
)
if len(tables) != len(self._tables):
raise DatasourceNotFoundValidationError()
raise_for_datasource_access(tables)
self._properties["tables"] = tables
else:
# Always validate access to existing tables if not updating them
raise_for_datasource_access(self._model.tables)
```
There are no other comments in the provided PR review data to address.
**superset/commands/security/update.py**
```
if "tables" in self._properties:
tables = (
db.session.query(SqlaTable)
.filter(SqlaTable.id.in_(self._tables)) # type:
ignore[attr-defined]
.all()
)
if len(tables) != len(self._tables):
raise DatasourceNotFoundValidationError()
raise_for_datasource_access(tables)
self._properties["tables"] = tables
else:
# Always validate access to existing tables if not updating them
raise_for_datasource_access(self._model.tables)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]