fix: datasource save, improve data validation (#22038)

tests/unit_tests/utils/urls_tests.py

@@ -15,6 +15,8 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+import pytest
+
 from superset.utils.urls import modify_url_query
 
 EXPLORE_CHART_LINK = "http://localhost:9000/explore/?form_data=%7B%22slice_id%22%3A+76%7D&standalone=true&force=false"
@@ -33,3 +35,27 @@ def test_convert_chart_link() -> None:
 def test_convert_dashboard_link() -> None:
     test_url = modify_url_query(EXPLORE_DASHBOARD_LINK, standalone="0")
     assert test_url == "http://localhost:9000/superset/dashboard/3/?standalone=0"
+
+
+@pytest.mark.parametrize(
+    "url,is_safe",
+    [
+        ("http://localhost/", True),
+        ("http://localhost/superset/1", True),
+        ("https://localhost/", False),
+        ("https://localhost/superset/1", False),
+        ("localhost/superset/1", False),
+        ("ftp://localhost/superset/1", False),
+        ("http://external.com", False),
+        ("https://external.com", False),
+        ("external.com", False),
+        ("///localhost", False),
+        ("xpto://localhost:[3/1/", False),
+    ],
+)
+def test_is_safe_url(url: str, is_safe: bool) -> None:
+    from superset import app
+    from superset.utils.urls import is_safe_url
+
+    with app.test_request_context("/"):
+        assert is_safe_url(url) == is_safe