Skip to content

Commit

Permalink
fix(chart-data-api): ignore missing filters (apache#11112)
Browse files Browse the repository at this point in the history
  • Loading branch information
villebro authored and auxten committed Nov 20, 2020
1 parent 2c2013a commit afb5cc1
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 18 deletions.
1 change: 0 additions & 1 deletion superset/common/query_context.py
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,6 @@ def get_df_payload( # pylint: disable=too-many-statements
col
for col in query_obj.columns
+ query_obj.groupby
+ [flt["col"] for flt in query_obj.filter]
+ utils.get_column_names_from_metrics(query_obj.metrics)
if col not in self.datasource.column_names
]
Expand Down
16 changes: 16 additions & 0 deletions tests/charts/api_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -855,6 +855,22 @@ def test_chart_data_prophet(self):
self.assertIn("sum__num__yhat_lower", row)
self.assertEqual(result["rowcount"], 47)

def test_chart_data_query_missing_filter(self):
"""
Chart data API: Ensure filter referencing missing column is ignored
"""
self.login(username="admin")
table = self.get_table_by_name("birth_names")
request_payload = get_query_context(table.name, table.id, table.type)
request_payload["queries"][0]["filters"] = [
{"col": "non_existent_filter", "op": "==", "val": "foo"},
]
request_payload["result_type"] = utils.ChartDataResultType.QUERY
rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
self.assertEqual(rv.status_code, 200)
response_payload = json.loads(rv.data.decode("utf-8"))
assert "non_existent_filter" not in response_payload["result"][0]["query"]

def test_chart_data_no_data(self):
"""
Chart data API: Test chart data with empty result
Expand Down
17 changes: 0 additions & 17 deletions tests/query_context_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,23 +211,6 @@ def test_sql_injection_via_columns(self):
query_payload = query_context.get_payload()
assert query_payload[0].get("error") is not None

def test_sql_injection_via_filters(self):
"""
Ensure that calling invalid columns names in filters are caught
"""
self.login(username="admin")
table_name = "birth_names"
table = self.get_table_by_name(table_name)
payload = get_query_context(table.name, table.id, table.type)
payload["queries"][0]["groupby"] = ["name"]
payload["queries"][0]["metrics"] = []
payload["queries"][0]["filters"] = [
{"col": "*", "op": FilterOperator.EQUALS.value, "val": ";"}
]
query_context = ChartDataQueryContextSchema().load(payload)
query_payload = query_context.get_payload()
assert query_payload[0].get("error") is not None

def test_sql_injection_via_metrics(self):
"""
Ensure that calling invalid columns names in filters are caught
Expand Down

0 comments on commit afb5cc1

Please sign in to comment.