Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: block unsafe functions #19537

Merged
merged 1 commit into from
Apr 5, 2022
Merged

chore: block unsafe functions #19537

merged 1 commit into from
Apr 5, 2022

Conversation

betodealmeida
Copy link
Member

@betodealmeida betodealmeida commented Apr 5, 2022
edited
Loading

SUMMARY

Add pre-commit hook to disallow unsafe functions like make_url.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@codecov
Copy link

codecov bot commented Apr 5, 2022
edited
Loading

Codecov Report

Merging #19537 (f92d20e) into master (f64d654) will decrease coverage by 0.19%.
The diff coverage is 62.50%.

❗ Current head f92d20e differs from pull request most recent head b9049a5. Consider uploading reports for the commit b9049a5 to get more accurate results

@@            Coverage Diff             @@
##           master   #19537      +/-   ##
==========================================
- Coverage   66.59%   66.40%   -0.20%     
==========================================
  Files        1682     1682              
  Lines       64302    64311       +9     
  Branches     6554     6559       +5     
==========================================
- Hits        42824    42706     -118     
- Misses      19777    19904     +127     
  Partials     1701     1701
Flag Coverage Δ
hive ?
mysql 81.90% <100.00%> (ø)
postgres 81.95% <100.00%> (ø)
presto ?
python 82.00% <100.00%> (-0.40%) ⬇️
sqlite ?
unit ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...c/views/CRUD/data/database/DatabaseModal/index.tsx 32.79% <ø> (ø)
superset-frontend/src/views/CRUD/hooks.ts 46.36% <0.00%> (-0.80%) ⬇️
...rset-frontend/src/explore/components/SaveModal.tsx 66.19% <100.00%> (+2.01%) ⬆️
superset/databases/utils.py 80.95% <100.00%> (ø)
superset/db_engines/hive.py 0.00% <0.00%> (-85.19%) ⬇️
superset/db_engine_specs/hive.py 70.11% <0.00%> (-15.71%) ⬇️
superset/connectors/sqla/utils.py 89.13% <0.00%> (-5.44%) ⬇️
superset/db_engine_specs/sqlite.py 91.89% <0.00%> (-5.41%) ⬇️
superset/db_engine_specs/presto.py 83.64% <0.00%> (-5.39%) ⬇️
superset/utils/celery.py 86.20% <0.00%> (-3.45%) ⬇️
... and 11 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f64d654...b9049a5. Read the comment docs.

@pull-request-size pull-request-size bot added size/S and removed size/XS labels Apr 5, 2022
@betodealmeida betodealmeida requested a review from a team as a code owner April 5, 2022 20:05
craig-rueda
craig-rueda approved these changes Apr 5, 2022
View reviewed changes
superset/databases/utils.py
@@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
:return:
"""
try:
return make_url(raw_url.strip())
return make_url(raw_url.strip()) # noqa
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a pretty easy way to get around this filter :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shhh, it's secret!

@betodealmeida betodealmeida merged commit 1b4d8dd into apache:master Apr 5, 2022
philipher29 pushed a commit to ValtechMobility/superset that referenced this pull request Jun 9, 2022
@betodealmeida @philipher29
chore: blacklist unsafe functions (apache#19537)
12ebf65
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 2.0.0 labels Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@craig-rueda craig-rueda craig-rueda approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S 🚢 2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@betodealmeida @craig-rueda @mistercrunch