mirror of
https://github.com/apache/superset.git
synced 2026-07-15 03:05:43 +00:00
The cost-estimation path (QueryEstimationCommand) only checked database-level access, skipping the disallowed-function, disallowed-table, DML, and row-level security controls that the execution path (sql_lab.execute_sql_statements) applies. As a result EXPLAIN/cost estimation could be used to probe disallowed functions/tables, bypass the DML guard, and — because RLS predicates were not injected — confirm the existence/cardinality of rows hidden by RLS. Add _apply_sql_security() mirroring the executor: reject disallowed functions/tables and DML (when allow_dml is False), and inject RLS predicates into each statement (when RLS_IN_SQLLAB is enabled) before estimating, so the estimate reflects the same constrained query the user could actually run. DRAFT: changes the SQL sent to the engine's estimate_query_cost across engine specs; needs validation that EXPLAIN still works for RLS-injected SQL on the supported analytics databases before merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>