diff --git a/superset/common/query_context.py b/superset/common/query_context.py index ad67d119d0afb..0e7fa9d7a1224 100644 --- a/superset/common/query_context.py +++ b/superset/common/query_context.py @@ -237,7 +237,6 @@ def get_df_payload( # pylint: disable=too-many-statements col for col in query_obj.columns + query_obj.groupby - + [flt["col"] for flt in query_obj.filter] + utils.get_column_names_from_metrics(query_obj.metrics) if col not in self.datasource.column_names ] diff --git a/tests/charts/api_tests.py b/tests/charts/api_tests.py index a3873e84935ce..7127180fee2e1 100644 --- a/tests/charts/api_tests.py +++ b/tests/charts/api_tests.py @@ -855,6 +855,22 @@ def test_chart_data_prophet(self): self.assertIn("sum__num__yhat_lower", row) self.assertEqual(result["rowcount"], 47) + def test_chart_data_query_missing_filter(self): + """ + Chart data API: Ensure filter referencing missing column is ignored + """ + self.login(username="admin") + table = self.get_table_by_name("birth_names") + request_payload = get_query_context(table.name, table.id, table.type) + request_payload["queries"][0]["filters"] = [ + {"col": "non_existent_filter", "op": "==", "val": "foo"}, + ] + request_payload["result_type"] = utils.ChartDataResultType.QUERY + rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data") + self.assertEqual(rv.status_code, 200) + response_payload = json.loads(rv.data.decode("utf-8")) + assert "non_existent_filter" not in response_payload["result"][0]["query"] + def test_chart_data_no_data(self): """ Chart data API: Test chart data with empty result diff --git a/tests/query_context_tests.py b/tests/query_context_tests.py index 5cdfdd0b4d1ad..68ef28830f91f 100644 --- a/tests/query_context_tests.py +++ b/tests/query_context_tests.py @@ -211,23 +211,6 @@ def test_sql_injection_via_columns(self): query_payload = query_context.get_payload() assert query_payload[0].get("error") is not None - def test_sql_injection_via_filters(self): - """ - Ensure that calling invalid columns names in filters are caught - """ - self.login(username="admin") - table_name = "birth_names" - table = self.get_table_by_name(table_name) - payload = get_query_context(table.name, table.id, table.type) - payload["queries"][0]["groupby"] = ["name"] - payload["queries"][0]["metrics"] = [] - payload["queries"][0]["filters"] = [ - {"col": "*", "op": FilterOperator.EQUALS.value, "val": ";"} - ] - query_context = ChartDataQueryContextSchema().load(payload) - query_payload = query_context.get_payload() - assert query_payload[0].get("error") is not None - def test_sql_injection_via_metrics(self): """ Ensure that calling invalid columns names in filters are caught