#5791: Address errors found by lgtm.com

[sturmer]

CATEGORY

Choose one

• Bug Fix
• Enhancement (new features, refinement)
• Refactor
• Add tests
• Build / Development Environment
• Documentation

SUMMARY

The website LGTM.com has detected a few errors from static analysis. This patch contains a possible fix for the first of them ("URL redirection from remote source") that follows the website's own recommendation: Check the input against some known source before using it. I've checked that the dashboard ID provided actually exists in DB and if it doesn't I return a 404.
I plan to solve the other 4 issues labeled as "Error" but wanted to get some early feedback before moving on.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

Not applicable.

TEST PLAN

I've written a unit test that can be run e.g. like:
tox -e py37 -- tests/access_tests.py:RequestAccessTests.test_dashboard_endpoint_malicious_redirect

ADDITIONAL INFORMATION

• Has associated issue: Improve code quality based on LGTM.com feedback #5791
• Changes UI
• Requires DB Migration.
• Confirm DB Migration upgrade and downgrade tested.
• Introduces new feature or API
• Removes existing feature or API

REVIEWERS

Please @mistercrunch as original reporter but feel free to re-assign as you see fit.

[codecov-io]

Codecov Report

Merging #7403 into master will increase coverage by 0.02%.
The diff coverage is 71.42%.

@@            Coverage Diff             @@
##           master    #7403      +/-   ##
==========================================
+ Coverage   65.71%   65.74%   +0.02%     
==========================================
  Files         459      459              
  Lines       21983    21980       -3     
  Branches     2415     2413       -2     
==========================================
+ Hits        14446    14450       +4     
+ Misses       7416     7410       -6     
+ Partials      121      120       -1

Impacted Files	Coverage Δ
superset/connectors/druid/views.py	68.18% <ø> (+0.43%)	⬆️
superset/assets/src/explore/controls.jsx	42.85% <ø> (ø)	⬆️
superset/assets/src/explore/exploreUtils.js	76.47% <ø> (+0.74%)	⬆️
superset/tasks/cache.py	76.72% <ø> (ø)	⬆️
superset/data/tabbed_dashboard.py	22.22% <ø> (-12.16%)	⬇️
superset/data/energy.py	100% <ø> (ø)	⬆️
...sets/src/SqlLab/components/ScheduleQueryButton.jsx	8.77% <0%> (ø)	⬆️
...c/explore/components/controls/withVerification.jsx	96.77% <100%> (ø)	⬆️
superset/utils/core.py	88.1% <100%> (ø)	⬆️
superset/connectors/druid/models.py	82.43% <100%> (+0.04%)	⬆️
... and 4 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ebb7fbc...2b0d317. Read the comment docs.

[john-bodley]

Please use super instead.

[john-bodley]

Please use super instead.

[john-bodley]

Could you provide some more context as to what you’re trying to achieve here?

[sturmer]

The analyzer at lgtm.com finds this assignment harmful (https://lgtm.com/rules/910074/).

The problem is (AFAIU) that we are mutating a descriptor object, and this can cause surprises to different instances of the same class. The recommendation is to create a copy that contains the desired state and return that instead.

In a patch I haven't pushed yet, I do a copy.is_method = True before returning as I do here. I wanted to copy the present instance, mutate it, and return it.

This, however, makes the unit tests test_memoized_on_methods_with_watches and test_memoized_on_methods fail.

[sturmer]

On further thought, I think that the code uses this pattern to actually achieve the desired result. What I propose, in this case, is to either silence the alert with # lgtm[py/mutable-descriptor], or to just ignore it. Maybe a comment in the code would be enough?

[sturmer]

@john-bodley kindly when you find a minute can you advise on this?

[john-bodley]

You could try using -1 (though I’m unsure if that works), otherwise maybe querying for the maximum dashboard ID and adding one, or using 9999.

[mistercrunch]

Edits to this file seems unrelated to your PR title

[sturmer]

I agree. The thing is that I started on the issue but gave a title related to the first I had started tackling. Do you suggest changing the title or split the PR into a few ones? (I'd favor the first.)

[sturmer]

@mistercrunch @john-bodley please when you have time can you have a look at this? In the meanwhile, I'll start addressing the lower-priority alerts (I remember seeing many unused imports, they should be safe to remove).

[sturmer]

To be clear, I think this patch could be merged as-is, but I'll add some lower-priority work to it that won't hurt. At least that's the plan 😄

[sturmer]

I need to re-scope this one in light of the more recent alerts. I think that the important is that I manage to fix the 4 errors currently pointed out.

[sturmer]

Now it should fix the 4 Errors and tackle a few Warnings as a bonus. It would be useful to point LGTM.com to this branch and check that that is actually the case, but I haven't been able to.

Is there still interest in going through with this? @john-bodley @mistercrunch

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. For admin, please label this issue .pinned to prevent stale bot from closing the issue.