Files
superset2/tests/unit_tests/models/dashboard_test.py
Joe Li 58e0232a31 fix(subdirectory): post-merge review fix queue (R9-1..R9-4 + lockfile)
R9-2 (extensions): UIManifestProcessor was reading
`self.app.config["APPLICATION_ROOT"]` after the master merge; callers in
`test_get_manifest_*` pass `Mock(config={})` and got a KeyError. Use
`.get(..., "")` for both STATIC_ASSETS_PREFIX and APPLICATION_ROOT so the
context processor degrades to empty-string under partial mocks. Affects
unit-tests, test-mysql, test-postgres, test-sqlite lanes.

R9-3 (dashboard_test): `test_dashboard_link_renders_plain_slug` asserts a
`/superset` prefix but `test_request_context("/")` builds a URL adapter
with empty script root, so `url_for` emitted `/dashboard/sales/`. Pass
`base_url="http://localhost/superset/"` so werkzeug derives SCRIPT_NAME
from the base URL and the adapter prepends it. environ_base alone is
insufficient — the URL adapter binds to the parsed base URL, not raw
environ.

R9-1 (navigationUtils.schemes): the redirect-scheme test asserted
byte-identity against `/superset/<scheme:body>` but `navigateTo` runs the
path through `new URL(...).pathname` then `encodeURI()` as part of the
CodeQL sanitiser triple-layer, encoding `<` -> `%3C` -> `%253C`. Replace
the byte-equality with a shape-match: assert the scheme survives only as
a prefixed path segment and the value does not start with any dangerous
scheme. The open-redirect contract is satisfied by either shape; the
encodeURI hardening is additional defence on top.

R9-4 (FilterBar.subdirectory): prettier-frontend wanted four formatting
collapses (multi-line readFileSync, double-quoted backtick-string to
single, long description unwrap, multi-line not.toMatch). Pure style.

Lockfile: the master merge added `@braintree/sanitize-url` to
superset-frontend's workspace package.json but didn't lock it. `npm ci`
on CI would fail strict-mode resolution; without it, jest in the
sharded-jest-tests #7 lane cannot resolve the import at module-load
time. Sync the lockfile entry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 18:25:17 -07:00

69 lines
2.8 KiB
Python

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
from flask import current_app
from superset.models.dashboard import Dashboard
def test_dashboard_link_escapes_slug(app_context: None) -> None:
"""dashboard_link must HTML-escape the user-controlled slug in the href.
The slug can carry markup via the import path (which does not run the REST
API's slug sanitization), so the rendered FAB list-view link must escape it.
`url_for` percent-encodes path params and `escape()` HTML-encodes the
result before Markup-marking; the rendered link must contain neither the
raw injected script tag nor an unescaped attribute breakout.
"""
dash = Dashboard()
dash.id = 1
dash.dashboard_title = "My Dashboard"
dash.slug = '"><script>alert(1)</script>'
with current_app.test_request_context("/"):
link = str(dash.dashboard_link())
# The injected script tag / attribute breakout must be escaped away.
assert "<script>" not in link
assert '"><script' not in link
# The legitimate anchor markup is still present.
assert link.startswith("<a href=")
assert "My Dashboard" in link
def test_dashboard_link_renders_plain_slug(app_context: None) -> None:
"""A normal slug renders a working link under a subdirectory deployment.
`dashboard_link` uses `url_for`, which prepends the request's script root
so the rendered href is correct under both root and `/superset`
deployments. The test pins the `/superset` shape by passing `base_url`
with the prefix path — werkzeug derives `SCRIPT_NAME` from the base URL's
path and the URL adapter then prepends it on `url_for`. Passing
`environ_base={"SCRIPT_NAME": "/superset"}` alone is not enough: the URL
adapter is built from the parsed base URL, not raw environ values.
"""
dash = Dashboard()
dash.id = 7
dash.dashboard_title = "Sales"
dash.slug = "sales"
with current_app.test_request_context("/", base_url="http://localhost/superset/"):
link = str(dash.dashboard_link())
assert "/superset/dashboard/sales/" in link
assert "Sales" in link