fix: dataset safe URL for explore_url (#24686)

2026-04-19 16:14:52 +00:00 · 2023-08-23 13:31:44 +01:00
parent c92a975e4b
commit a9efd4b2e3
12 changed files with 85 additions and 147 deletions
--- a/superset/datasets/commands/exceptions.py
+++ b/superset/datasets/commands/exceptions.py
@@ -61,23 +61,6 @@ class DatasetExistsValidationError(ValidationError):
        )


-class DatasetEndpointUnsafeValidationError(ValidationError):
-    """
-    Marshmallow validation error for unsafe dataset default endpoint
-    """
-
-    def __init__(self) -> None:
-        super().__init__(
-            [
-                _(
-                    "The submitted URL is not considered safe,"
-                    " only use URLs with the same domain as Superset."
-                )
-            ],
-            field_name="default_endpoint",
-        )
-
-
 class DatasetColumnNotFoundValidationError(ValidationError):
    """
    Marshmallow validation error when dataset column for update does not exist
--- a/superset/datasets/commands/update.py
+++ b/superset/datasets/commands/update.py
@@ -18,7 +18,6 @@ import logging
 from collections import Counter
 from typing import Any, Optional

-from flask import current_app
 from flask_appbuilder.models.sqla import Model
 from marshmallow import ValidationError

@@ -32,7 +31,6 @@ from superset.datasets.commands.exceptions import (
    DatasetColumnNotFoundValidationError,
    DatasetColumnsDuplicateValidationError,
    DatasetColumnsExistsValidationError,
-    DatasetEndpointUnsafeValidationError,
    DatasetExistsValidationError,
    DatasetForbiddenError,
    DatasetInvalidError,
@@ -43,7 +41,6 @@ from superset.datasets.commands.exceptions import (
    DatasetUpdateFailedError,
 )
 from superset.exceptions import SupersetSecurityException
-from superset.utils.urls import is_safe_url

 logger = logging.getLogger(__name__)

@@ -104,15 +101,6 @@ class UpdateDatasetCommand(UpdateMixin, BaseCommand):
            self._properties["owners"] = owners
        except ValidationError as ex:
            exceptions.append(ex)
-        # Validate default URL safety
-        default_endpoint = self._properties.get("default_endpoint")
-        if (
-            default_endpoint
-            and not is_safe_url(default_endpoint)
-            and current_app.config["PREVENT_UNSAFE_DEFAULT_URLS_ON_DATASET"]
-        ):
-            exceptions.append(DatasetEndpointUnsafeValidationError())
-
        # Validate columns
        if columns := self._properties.get("columns"):
            self._validate_columns(columns, exceptions)