chore(datasets): Sanitizing /save response (#17579)

apache · Nov 30, 2021 · ac76def · ac76def
1 parent 3c41ff6
commit ac76def
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/superset/views/core.py b/superset/views/core.py
@@ -154,6 +154,7 @@
     get_form_data,
     get_viz,
     is_owner,
+    sanitize_datasource_data,
 )
 from superset.viz import BaseViz
 
@@ -850,9 +851,6 @@ def explore(
         }
         try:
             datasource_data = datasource.data if datasource else dummy_datasource_data
-            datasource_database = datasource_data.get("database")
-            if datasource_database:
-                datasource_database["parameters"] = {}
         except (SupersetException, SQLAlchemyError):
             datasource_data = dummy_datasource_data
 
@@ -862,7 +860,7 @@ def explore(
         bootstrap_data = {
             "can_add": slice_add_perm,
             "can_download": slice_download_perm,
-            "datasource": datasource_data,
+            "datasource": sanitize_datasource_data(datasource_data),
             "form_data": form_data,
             "datasource_id": datasource_id,
             "datasource_type": datasource_type,
@@ -2616,7 +2614,7 @@ def fetch_datasource_metadata(self) -> FlaskResponse:  # pylint: disable=no-self
             return json_error_response(DATASOURCE_MISSING_ERR)
 
         datasource.raise_for_access()
-        return json_success(json.dumps(datasource.data))
+        return json_success(json.dumps(sanitize_datasource_data(datasource.data)))
 
     @has_access_api
     @event_logger.log_this

diff --git a/superset/views/datasource/views.py b/superset/views/datasource/views.py
@@ -51,6 +51,7 @@
     ExternalMetadataSchema,
     get_external_metadata_schema,
 )
+from superset.views.utils import sanitize_datasource_data
 
 
 class Datasource(BaseSupersetView):
@@ -123,7 +124,7 @@ def save(self) -> FlaskResponse:
         data = orm_datasource.data
         db.session.commit()
 
-        return self.json_response(data)
+        return self.json_response(sanitize_datasource_data(data))
 
     @expose("/get/<datasource_type>/<datasource_id>/")
     @has_access_api
@@ -133,7 +134,7 @@ def get(self, datasource_type: str, datasource_id: int) -> FlaskResponse:
         datasource = ConnectorRegistry.get_datasource(
             datasource_type, datasource_id, db.session
         )
-        return self.json_response(datasource.data)
+        return self.json_response(sanitize_datasource_data(datasource.data))
 
     @expose("/external_metadata/<datasource_type>/<datasource_id>/")
     @has_access_api

diff --git a/superset/views/utils.py b/superset/views/utils.py
@@ -61,6 +61,15 @@
     REJECTED_FORM_DATA_KEYS = ["js_tooltip", "js_onclick_href", "js_data_mutator"]
 
 
+def sanitize_datasource_data(datasource_data: Dict[str, Any]) -> Dict[str, Any]:
+    if datasource_data:
+        datasource_database = datasource_data.get("database")
+        if datasource_database:
+            datasource_database["parameters"] = {}
+
+    return datasource_data
+
+
 def bootstrap_user_data(user: User, include_perms: bool = False) -> Dict[str, Any]:
     if user.is_anonymous:
         payload = {}