fix(safe-markdown): do not mutate the shared sanitization schema

getOverrideHtmlSchema passed the module-level defaultSchema import from rehype-sanitize as the first argument to lodash mergeWith, which mutates it. Because the array customizer concatenates, the allowed tags/attributes/protocols arrays grew on each call, progressively widening the sanitization allowlist for every SafeMarkdown instance app-wide. Merge into a fresh cloneDeep of the schema so the shared singleton is never modified. Adds tests asserting the original schema is not mutated and that repeated calls do not accumulate overrides. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-24 17:09:20 +00:00 · 2026-06-22 17:22:12 -07:00
2 changed files with 42 additions and 3 deletions
--- a/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx
+++ b/superset-frontend/packages/superset-ui-core/src/components/SafeMarkdown/SafeMarkdown.tsx
@@ -22,7 +22,7 @@ import rehypeSanitize, { defaultSchema } from 'rehype-sanitize';
 // remark-gfm v4+ requires react-markdown v9+, which requires React 18.
 // Currently pinned to v3.0.1 for compatibility with react-markdown v8 and React 17.
 import remarkGfm from 'remark-gfm';
-import { mergeWith } from 'lodash';
+import { cloneDeep, mergeWith } from 'lodash';
 import { FeatureFlag, isFeatureEnabled } from '../../utils';

 interface SafeMarkdownProps {
@@ -82,8 +82,15 @@ export function getOverrideHtmlSchema(
  originalSchema: typeof defaultSchema,
  htmlSchemaOverrides: SafeMarkdownProps['htmlSchemaOverrides'],
 ) {
-  return mergeWith(originalSchema, htmlSchemaOverrides, (objValue, srcValue) =>
-    Array.isArray(objValue) ? objValue.concat(srcValue) : undefined,
+  // Merge into a fresh clone: mergeWith mutates its first argument, and the
+  // array customizer concatenates, so merging into the shared defaultSchema
+  // import would progressively widen the sanitization allowlist for every
+  // SafeMarkdown instance app-wide.
+  return mergeWith(
+    cloneDeep(originalSchema),
+    htmlSchemaOverrides,
+    (objValue, srcValue) =>
+      Array.isArray(objValue) ? objValue.concat(srcValue) : undefined,
  );
 }

--- a/superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx
+++ b/superset-frontend/packages/superset-ui-core/test/components/SafeMarkdown.test.tsx
@@ -17,6 +17,8 @@
 * under the License.
 */
 import { render } from '@testing-library/react';
+import { cloneDeep } from 'lodash';
+import { defaultSchema } from 'rehype-sanitize';
 import {
  getOverrideHtmlSchema,
  SafeMarkdown,
@@ -51,6 +53,36 @@ describe('getOverrideHtmlSchema', () => {
    expect(result.attributes).toEqual({ '*': ['size', 'src'], h1: ['style'] });
    expect(result.tagNames).toEqual(['h1', 'h2', 'h3', 'iframe']);
  });
+
+  test('should not mutate the original schema', () => {
+    const original = {
+      attributes: { '*': ['size'] },
+      tagNames: ['h1'],
+    };
+    getOverrideHtmlSchema(original, {
+      attributes: { '*': ['src'] },
+      tagNames: ['iframe'],
+    });
+    // The original passed in is left untouched.
+    expect(original.attributes).toEqual({ '*': ['size'] });
+    expect(original.tagNames).toEqual(['h1']);
+  });
+
+  test('should not mutate the shared defaultSchema import or accumulate across calls', () => {
+    const snapshot = cloneDeep(defaultSchema);
+    const overrides = { tagNames: ['iframe'] };
+
+    const first = getOverrideHtmlSchema(defaultSchema, overrides);
+    const second = getOverrideHtmlSchema(defaultSchema, overrides);
+
+    // The shared singleton is never modified...
+    expect(defaultSchema).toEqual(snapshot);
+    // ...and repeated calls do not accumulate the override (no growing arrays).
+    expect(first.tagNames).toEqual(second.tagNames);
+    expect(
+      (second.tagNames ?? []).filter(name => name === 'iframe'),
+    ).toHaveLength(1);
+  });
 });

 describe('transformLinkUri', () => {