rusackas opened a new pull request, #41306: URL: https://github.com/apache/superset/pull/41306
### SUMMARY When a user-supplied `column_name` fails the `related`/`distinct` allowlist check in `BaseSupersetModelRestApi`, the API incremented a statsd counter and returned a 404 but emitted no structured log event. As a result, rejected field-access attempts against these secondary checks were absent from the security audit trail — no caller identity, endpoint, or attempted value. This adds a sanitized security log event (user id, endpoint, attempted column) at both denial points, alongside the existing statsd counter. The attempted column name is sanitized to a single bounded token (printable, no newlines, length-capped) so it cannot inject log lines. The allowlist control itself is unchanged. This addresses two related audit-trail gaps in `views/base_api.py`: the secondary-authorization denial (the `related`/`distinct` 404) and the input-validation/allowlist-bypass attempt that produces it. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — audit logging. ### TESTING INSTRUCTIONS `test_get_related_fail` (run for each resource via `ApiOwnersTestCaseMixin`) is extended to assert a `logger.warning` security event is emitted with the rejected column name when a disallowed related field is requested. Run e.g.: `pytest tests/integration_tests/charts/api_tests.py -k related_fail` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
