From ac76defc05f3f3d1d40f449f023cd96661147e82 Mon Sep 17 00:00:00 2001 From: Craig Rueda Date: Mon, 29 Nov 2021 20:07:06 -0800 Subject: [PATCH] chore(datasets): Sanitizing /save response (#17579) --- superset/views/core.py | 8 +++----- superset/views/datasource/views.py | 5 +++-- superset/views/utils.py | 9 +++++++++ 3 files changed, 15 insertions(+), 7 deletions(-) diff --git a/superset/views/core.py b/superset/views/core.py index 9afcbb8e3def2..e674146e7e595 100755 --- a/superset/views/core.py +++ b/superset/views/core.py @@ -154,6 +154,7 @@ get_form_data, get_viz, is_owner, + sanitize_datasource_data, ) from superset.viz import BaseViz @@ -850,9 +851,6 @@ def explore( } try: datasource_data = datasource.data if datasource else dummy_datasource_data - datasource_database = datasource_data.get("database") - if datasource_database: - datasource_database["parameters"] = {} except (SupersetException, SQLAlchemyError): datasource_data = dummy_datasource_data @@ -862,7 +860,7 @@ def explore( bootstrap_data = { "can_add": slice_add_perm, "can_download": slice_download_perm, - "datasource": datasource_data, + "datasource": sanitize_datasource_data(datasource_data), "form_data": form_data, "datasource_id": datasource_id, "datasource_type": datasource_type, @@ -2616,7 +2614,7 @@ def fetch_datasource_metadata(self) -> FlaskResponse: # pylint: disable=no-self return json_error_response(DATASOURCE_MISSING_ERR) datasource.raise_for_access() - return json_success(json.dumps(datasource.data)) + return json_success(json.dumps(sanitize_datasource_data(datasource.data))) @has_access_api @event_logger.log_this diff --git a/superset/views/datasource/views.py b/superset/views/datasource/views.py index 2b5ed892ff173..e2cb204082dd6 100644 --- a/superset/views/datasource/views.py +++ b/superset/views/datasource/views.py @@ -51,6 +51,7 @@ ExternalMetadataSchema, get_external_metadata_schema, ) +from superset.views.utils import sanitize_datasource_data class Datasource(BaseSupersetView): @@ -123,7 +124,7 @@ def save(self) -> FlaskResponse: data = orm_datasource.data db.session.commit() - return self.json_response(data) + return self.json_response(sanitize_datasource_data(data)) @expose("/get///") @has_access_api @@ -133,7 +134,7 @@ def get(self, datasource_type: str, datasource_id: int) -> FlaskResponse: datasource = ConnectorRegistry.get_datasource( datasource_type, datasource_id, db.session ) - return self.json_response(datasource.data) + return self.json_response(sanitize_datasource_data(datasource.data)) @expose("/external_metadata///") @has_access_api diff --git a/superset/views/utils.py b/superset/views/utils.py index 035f332aad3b6..15b312d39dfd7 100644 --- a/superset/views/utils.py +++ b/superset/views/utils.py @@ -61,6 +61,15 @@ REJECTED_FORM_DATA_KEYS = ["js_tooltip", "js_onclick_href", "js_data_mutator"] +def sanitize_datasource_data(datasource_data: Dict[str, Any]) -> Dict[str, Any]: + if datasource_data: + datasource_database = datasource_data.get("database") + if datasource_database: + datasource_database["parameters"] = {} + + return datasource_data + + def bootstrap_user_data(user: User, include_perms: bool = False) -> Dict[str, Any]: if user.is_anonymous: payload = {}