mirror of
https://github.com/apache/superset.git
synced 2026-07-15 03:05:43 +00:00
Resolves PR #39925 conflict against 68 master commits since the last rebase. Single conflict in `superset/models/dashboard.py::dashboard_link`: - HEAD (Slice 1, this branch): `url_for("Superset.dashboard", ...)` so Flask prepends SCRIPT_NAME and the row link works under subdirectory deployments. - master (#40404 area): `escape(self.url)` to defuse user-controlled slug HTML injection in the rendered FAB list-view anchor. Resolution combines both: keep `url_for` for the subdir-correct routing, wrap the result in `escape()` for HTML-attribute defence-in-depth. `url_for` already percent-encodes the slug path param (mitigating the XSS vector master targeted); the explicit `escape()` documents intent and survives any future change that adds query params/fragments. master also added `tests/unit_tests/models/dashboard_test.py` with two tests that instantiated `Dashboard` outside an application context. Adapted to use the `app_context` autouse fixture + a `current_app.test_request_context("/")` block so they exercise the `url_for`-based implementation. Semantic assertions preserved: the script-tag injection test still asserts no `<script>` or attribute breakout; the plain-slug test still asserts `/superset/dashboard/sales/` appears in the rendered href. All other touched files auto-merged cleanly (UPDATING.md, config.py, connectors/sqla/models.py, models/slice.py, views/utils.py, integration_tests/dashboards/api_tests.py, unit_tests/commands/report/execute_test.py). Notably slice.py's auto-merge correctly retained Slice 1's `slice_link` url_for refactor alongside master's new `icons` data-controlled HTML escape. SKIP=pylint applied for worktree-venv subshell baseline (pre-commit's pylint hook can't load the superset module without an activated venv; documented baseline across Slices 4-8). pylint verified independently against the changed files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
60 lines
2.2 KiB
Python
60 lines
2.2 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from flask import current_app
|
|
|
|
from superset.models.dashboard import Dashboard
|
|
|
|
|
|
def test_dashboard_link_escapes_slug(app_context: None) -> None:
|
|
"""dashboard_link must HTML-escape the user-controlled slug in the href.
|
|
|
|
The slug can carry markup via the import path (which does not run the REST
|
|
API's slug sanitization), so the rendered FAB list-view link must escape it.
|
|
`url_for` percent-encodes path params and `escape()` HTML-encodes the
|
|
result before Markup-marking; the rendered link must contain neither the
|
|
raw injected script tag nor an unescaped attribute breakout.
|
|
"""
|
|
dash = Dashboard()
|
|
dash.id = 1
|
|
dash.dashboard_title = "My Dashboard"
|
|
dash.slug = '"><script>alert(1)</script>'
|
|
|
|
with current_app.test_request_context("/"):
|
|
link = str(dash.dashboard_link())
|
|
|
|
# The injected script tag / attribute breakout must be escaped away.
|
|
assert "<script>" not in link
|
|
assert '"><script' not in link
|
|
# The legitimate anchor markup is still present.
|
|
assert link.startswith("<a href=")
|
|
assert "My Dashboard" in link
|
|
|
|
|
|
def test_dashboard_link_renders_plain_slug(app_context: None) -> None:
|
|
"""A normal slug renders a working link."""
|
|
dash = Dashboard()
|
|
dash.id = 7
|
|
dash.dashboard_title = "Sales"
|
|
dash.slug = "sales"
|
|
|
|
with current_app.test_request_context("/"):
|
|
link = str(dash.dashboard_link())
|
|
|
|
assert "/superset/dashboard/sales/" in link
|
|
assert "Sales" in link
|