Commit Graph

1142 Commits

Author SHA1 Message Date
dependabot[bot]
543ad04ca0 chore(deps): bump pyarrow from 20.0.0 to 24.0.0 (#39756)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan <evan@preset.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 12:51:33 -07:00
Evan Rusackas
004101a752 fix(rls): apply standard datasource access checks in RLS rule commands (#40650)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 11:24:12 -07:00
Evan Rusackas
568f34d6d8 fix(mcp): enforce audience, algorithm, issuer binding, and token scopes (strict mode) (#40653)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 11:08:20 -07:00
Evan Rusackas
065578e48a fix(commands,api): enforce command validation, sanitize export filename/token, set cache TTLs (#40655)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 10:29:46 -07:00
EMMANUELA OPURUM
6311e2c315 fix: use pd.to_numeric in df_metrics_to_num to handle string-encoded numerics from ClickHouse (#40190)
Co-authored-by: Emmanuela Opurum <youremail@example.com>
Co-authored-by: Đỗ Trọng Hải <41283691+hainenber@users.noreply.github.com>
2026-06-09 10:28:34 -07:00
Evan Rusackas
0133ebc9f2 feat(mcp): log successful JWT authentication events (#40864)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 09:34:52 -07:00
Evan Rusackas
b64dd4af4a fix(mcp): handle JWKS fetch network errors during token verification (#40869)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 09:34:33 -07:00
Evan Rusackas
7b1e1e5668 fix(charts): route CSV result format through the escaping CSV writer (#40859)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 09:33:46 -07:00
Evan Rusackas
9105adc67b fix(mcp): return a generic message when a request is unauthenticated (#40861)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-09 09:19:15 -07:00
Sebastian Mohr
443fd7bcee fix(assets): Support uploading tags using the assets import endpoint (#38343)
Co-authored-by: Sam Firke <sfirke@users.noreply.github.com>
2026-06-09 10:13:28 -04:00
Daniel Vaz Gaspar
2f71771b56 fix(sqllab): prevent corrupted query state from blocking SQL Lab access (#40580)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Joe Li <joe@preset.io>
2026-06-09 10:51:45 +01:00
Evan Rusackas
3afbb48188 fix(uploads,dao): add zip-safety check to columnar reader and cap DAO page size (#40637)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-08 17:07:57 -07:00
Evan Rusackas
837f41986d fix: reject default guest/async JWT secrets at startup (#40649)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-08 16:53:37 -07:00
Evan Rusackas
8eda626466 fix: raise random_key entropy and add expiry to async query tokens (#40638)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-08 16:24:06 -07:00
Evan Rusackas
fe9818226d fix(viz): gate stacktrace behind SHOW_STACKTRACE and allowlist resample method (#40636)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-08 16:09:59 -07:00
Evan Rusackas
911bb9dcda fix: harden ZIP safety checks (total-size cap, zero-division guard) and extension path matching (#40664)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-08 14:14:53 -07:00
Amin Ghadersohi
ef7379c47e chore(mcp): remove low-value list/info tools that fail agent-native policy (#40690) 2026-06-06 14:57:41 -04:00
Amin Ghadersohi
84aaaaa6b0 fix(mcp): filter sensitive database columns from list_databases loaded-metadata (#40771) 2026-06-06 14:57:21 -04:00
Evan Rusackas
b85a2cdab1 fix: ODPS (MaxCompute) data source table preview failed (#38174)
Co-authored-by: zhutong6688 <zhutong66@163.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-06-05 17:57:44 -07:00
Evan Rusackas
381b99ae84 fix(csv): respect CSV_EXPORT config for decimal separator and delimiter (#38170)
Co-authored-by: Claude <noreply@anthropic.com>
2026-06-05 17:57:21 -07:00
Evan Rusackas
6b0d747939 fix: cache warmup using WebDriver for reliable authentication (#38449)
Co-authored-by: Superset Dev <dev@superset.apache.org>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-05 16:36:30 -07:00
Evan Rusackas
19d01521bf fix(dashboard): replace chartsInScope references at import time (#38171)
Co-authored-by: Rémy Dubois <remy.dubois@komodohealth.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-05 11:42:24 -07:00
Evan Rusackas
1623ceda73 fix(result_set): preserve JSON/JSONB data as objects instead of strings (#38172)
Co-authored-by: Claude <noreply@anthropic.com>
2026-06-05 11:41:40 -07:00
madhushreeag
fa42b13eb8 fix(dataset): preserve numeric column types when pydruid infers STRING from first-row value (#40677)
Co-authored-by: madhushree agarwal <madhushree_agarwal@apple.com>
2026-06-05 09:25:57 -07:00
Amin Ghadersohi
aa4092ba68 fix(mcp): add select_columns lean defaults to get_dashboard_info, get_chart_info, get_dataset_info (#40473)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Richard Fogaça <richardfogaca@gmail.com>
2026-06-05 11:10:13 -03:00
Elizabeth Thompson
42367afb25 fix(reports): add per-tile animation wait to prevent partial ECharts renders in tiled screenshots (#40694)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-04 16:43:34 -07:00
Vitor Avila
7406098708 fix(dashboard-filter): Consider dashboard filters to charts not declared in the dashboard position (#40774) 2026-06-04 16:43:38 -03:00
Evan Rusackas
0d1b702ce8 feat(extensions): static supply-chain controls — denylist + version policy (#40668)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-04 12:29:03 -07:00
Amin Ghadersohi
7d69f76127 fix(mcp): API key authentication for MCP — transport, validation, and RBAC (#39604) 2026-06-04 15:04:43 -04:00
Evan Rusackas
9a31362fa5 fix(reports): stamp email subject date at send time, not import time (#40693)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 12:03:28 -07:00
Evan Rusackas
23d18743bd fix(deck.gl): strip all JS-executed form_data keys when JavaScript controls are disabled (#40602)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-04 10:14:33 -07:00
Evan Rusackas
9d1bc6b2cc fix(i18n): don't flag intentional string deletions as translation regressions (#40716)
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 14:47:31 -07:00
Shaitan
6a125bf774 fix(jinja): expose dialect-escaped companion value on get_filters() (#40531) 2026-06-03 21:53:12 +01:00
Shaitan
43fde2fb07 fix(charts): enforce DISALLOWED_SQL_FUNCTIONS and DISALLOWED_SQL_TABLES at chart-data execution (#40567)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-03 21:52:48 +01:00
dependabot[bot]
2be2246a00 chore(deps-dev): bump gevent from 24.2.1 to 26.4.0 (#40378)
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Claude Code <noreply@anthropic.com>
Co-authored-by: Evan <evan@preset.io>
2026-06-03 12:58:17 -07:00
Evan Rusackas
80ea36c852 fix(db_engine_specs): escape schema name in regex; document safe filter pattern (#40642)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-03 11:56:51 -07:00
Amin Ghadersohi
f4dfb7f026 fix(mcp): fall back to form_data spatial query for Deck.gl charts (#40339) 2026-06-03 13:30:52 -04:00
Burhanuddin Mundrawala
e5ff6de790 chore: correct typos in config.py and models_test.py comments (#40706) 2026-06-03 21:58:29 +07:00
Shaitan
e3ba85b1a5 fix(redirect): normalize browser-stripped whitespace before protocol-relative check (#40566)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-03 12:56:10 +01:00
Shaitan
56fd991efd fix(dataset): unify validation for stored and adhoc SQL expressions (#40392)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-03 12:55:50 +01:00
Shaitan
f7f50a7977 fix(sqllab): quote CTAS target identifiers and validate tmp_table_name format (#40245)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 12:55:25 +01:00
Shaitan
725f5ed2a9 fix(api): enforce per-object ownership validation in chart, dataset, and report commands (#39303)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 12:55:15 +01:00
Shaitan
faa76f6741 fix(embedding): add optional dataset allowlist to guest tokens (#39302)
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 12:55:09 +01:00
Shaitan
8e4a460cc7 fix(charts): apply DISALLOWED_SQL_FUNCTIONS gate to adhoc expressions (#40568)
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-03 12:52:22 +01:00
Evan Rusackas
b9dc9d722e fix(export): sanitize user-supplied CSV export filename (charts + SQL Lab) (#40632)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-03 00:14:48 -07:00
Evan Rusackas
12bef03f4a fix(jinja): apply consistent escaping to url_param values from request args (#40633)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-02 21:23:48 -07:00
Evan Rusackas
0b9764aed5 fix(mcp): honor AUTH_ROLE_ADMIN and warn on permission-less protected tools (#40659)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-02 21:20:11 -07:00
Evan Rusackas
ac522ded1c fix(ssh-tunnel): validate server_address format (SSRF defense-in-depth) (#40665)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-02 21:19:24 -07:00
Evan Rusackas
9af6746dbe fix(models): HTML-escape data-controlled values in dashboard_link and Slice.icons (#40639)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-02 16:15:11 -07:00
Evan Rusackas
6abee0289b fix(reports): guard SUCCESS-state report execution against duplicate sends and stuck WORKING state (#40657)
Co-authored-by: Claude Code <noreply@anthropic.com>
2026-06-02 15:09:14 -07:00