feat(alerts/reports): external URL warning (#35021)

2026-04-19 16:14:52 +00:00 · 2026-03-06 11:57:03 -05:00
parent 296bd7e56b
commit 03ad1789f0
13 changed files with 864 additions and 0 deletions
--- a/tests/integration_tests/security_tests.py
+++ b/tests/integration_tests/security_tests.py
@@ -1662,6 +1662,7 @@ class TestRolePermission(SupersetTestCase):
            ["SupersetAuthView", "logout"],
            ["SupersetRegisterUserView", "register"],
            ["SupersetRegisterUserView", "activation"],
+            ["RedirectView", "redirect_warning"],
        ]
        unsecured_views = []
        for view_class in appbuilder.baseviews:
--- a/tests/integration_tests/views/test_redirect_view.py
+++ b/tests/integration_tests/views/test_redirect_view.py
@@ -0,0 +1,66 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from tests.conftest import with_config
+from tests.integration_tests.base_tests import SupersetTestCase
+from tests.integration_tests.conftest import with_feature_flags
+
+REDIRECT_CONFIG = {
+    "WEBDRIVER_BASEURL": "http://localhost:8088",
+    "WEBDRIVER_BASEURL_USER_FRIENDLY": "http://localhost:8088",
+}
+
+
+class TestRedirectView(SupersetTestCase):
+    """Integration tests for the /redirect/ endpoint."""
+
+    @with_feature_flags(ALERT_REPORTS=True)
+    @with_config(REDIRECT_CONFIG)
+    def test_missing_url_returns_400(self):
+        resp = self.client.get("/redirect/")
+        assert resp.status_code == 400
+
+    @with_feature_flags(ALERT_REPORTS=True)
+    @with_config(REDIRECT_CONFIG)
+    def test_dangerous_scheme_returns_400(self):
+        resp = self.client.get("/redirect/?url=javascript:alert(1)")
+        assert resp.status_code == 400
+
+    @with_feature_flags(ALERT_REPORTS=True)
+    @with_config(REDIRECT_CONFIG)
+    def test_internal_url_redirects(self):
+        resp = self.client.get(
+            "/redirect/?url=http://localhost:8088/dashboard/1",
+            follow_redirects=False,
+        )
+        assert resp.status_code == 302
+        assert resp.headers["Location"] == "http://localhost:8088/dashboard/1"
+
+    @with_feature_flags(ALERT_REPORTS=True)
+    @with_config(REDIRECT_CONFIG)
+    def test_external_url_renders_page(self):
+        resp = self.client.get(
+            "/redirect/?url=https://external.com/page",
+        )
+        assert resp.status_code == 200
+
+    @with_feature_flags(ALERT_REPORTS=False)
+    def test_feature_flag_disabled_returns_404(self):
+        resp = self.client.get(
+            "/redirect/?url=https://external.com",
+        )
+        assert resp.status_code == 404