chore: block unsafe functions

.pre-commit-config.yaml

@@ -51,3 +51,9 @@ repos:
       - id: prettier
         args: ['--ignore-path=./superset-frontend/.prettierignore']
         files: 'superset-frontend'
+  # blacklist unsafe functions like make_url (see #19526)
+  - repo: https://github.com/skorokithakis/blacklist-pre-commit-hook
+    rev: e2f070289d8eddcaec0b580d3bde29437e7c8221
+    hooks:
+      - id: blacklist
+        args: ["--blacklisted-names=make_url", "--ignore=tests/"]

superset/databases/utils.py

@@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
     :return:
     """
     try:
-        return make_url(raw_url.strip())
+        return make_url(raw_url.strip())  # noqa
     except Exception:
         raise DatabaseInvalidError()  # pylint: disable=raise-missing-from

superset/migrations/versions/620241d1153f_update_time_grain_sqla.py

@@ -30,10 +30,10 @@
 
 from alembic import op
 from sqlalchemy import Column, ForeignKey, Integer, Text
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base
 
 from superset import db, db_engine_specs
+from superset.databases.utils import make_url_safe
 from superset.utils.memoized import memoized
 
 Base = declarative_base()
@@ -46,7 +46,7 @@ class Database(Base):
     sqlalchemy_uri = Column(Text)
 
     def grains(self):
-        url = make_url(self.sqlalchemy_uri)
+        url = make_url_safe(self.sqlalchemy_uri)
         backend = url.get_backend_name()
         db_engine_spec = db_engine_specs.engines.get(
             backend, db_engine_specs.BaseEngineSpec

superset/migrations/versions/b8d3a24d9131_new_dataset_models.py

@@ -31,14 +31,14 @@
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy import and_, inspect, or_
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import backref, relationship, Session
 from sqlalchemy.schema import UniqueConstraint
 from sqlalchemy_utils import UUIDType
 
 from superset import app, db
 from superset.connectors.sqla.models import ADDITIVE_METRIC_TYPES
+from superset.databases.utils import make_url_safe
 from superset.extensions import encrypted_field_factory
 from superset.migrations.shared.utils import extract_table_references
 from superset.models.core import Database as OriginalDatabase
@@ -323,7 +323,7 @@ def after_insert(target: SqlaTable) -> None:  # pylint: disable=too-many-locals
     )
     if not database:
         return
-    url = make_url(database.sqlalchemy_uri)
+    url = make_url_safe(database.sqlalchemy_uri)
     dialect_class = url.get_dialect()
     conditional_quote = dialect_class().identifier_preparer.quote