mirror of
https://github.com/apache/superset.git
synced 2026-07-12 09:45:43 +00:00
R9-2 (extensions): UIManifestProcessor was reading
`self.app.config["APPLICATION_ROOT"]` after the master merge; callers in
`test_get_manifest_*` pass `Mock(config={})` and got a KeyError. Use
`.get(..., "")` for both STATIC_ASSETS_PREFIX and APPLICATION_ROOT so the
context processor degrades to empty-string under partial mocks. Affects
unit-tests, test-mysql, test-postgres, test-sqlite lanes.
R9-3 (dashboard_test): `test_dashboard_link_renders_plain_slug` asserts a
`/superset` prefix but `test_request_context("/")` builds a URL adapter
with empty script root, so `url_for` emitted `/dashboard/sales/`. Pass
`base_url="http://localhost/superset/"` so werkzeug derives SCRIPT_NAME
from the base URL and the adapter prepends it. environ_base alone is
insufficient — the URL adapter binds to the parsed base URL, not raw
environ.
R9-1 (navigationUtils.schemes): the redirect-scheme test asserted
byte-identity against `/superset/<scheme:body>` but `navigateTo` runs the
path through `new URL(...).pathname` then `encodeURI()` as part of the
CodeQL sanitiser triple-layer, encoding `<` -> `%3C` -> `%253C`. Replace
the byte-equality with a shape-match: assert the scheme survives only as
a prefixed path segment and the value does not start with any dangerous
scheme. The open-redirect contract is satisfied by either shape; the
encodeURI hardening is additional defence on top.
R9-4 (FilterBar.subdirectory): prettier-frontend wanted four formatting
collapses (multi-line readFileSync, double-quoted backtick-string to
single, long description unwrap, multi-line not.toMatch). Pure style.
Lockfile: the master merge added `@braintree/sanitize-url` to
superset-frontend's workspace package.json but didn't lock it. `npm ci`
on CI would fail strict-mode resolution; without it, jest in the
sharded-jest-tests #7 lane cannot resolve the import at module-load
time. Sync the lockfile entry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
2.8 KiB
Python
69 lines
2.8 KiB
Python
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
from flask import current_app
|
|
|
|
from superset.models.dashboard import Dashboard
|
|
|
|
|
|
def test_dashboard_link_escapes_slug(app_context: None) -> None:
|
|
"""dashboard_link must HTML-escape the user-controlled slug in the href.
|
|
|
|
The slug can carry markup via the import path (which does not run the REST
|
|
API's slug sanitization), so the rendered FAB list-view link must escape it.
|
|
`url_for` percent-encodes path params and `escape()` HTML-encodes the
|
|
result before Markup-marking; the rendered link must contain neither the
|
|
raw injected script tag nor an unescaped attribute breakout.
|
|
"""
|
|
dash = Dashboard()
|
|
dash.id = 1
|
|
dash.dashboard_title = "My Dashboard"
|
|
dash.slug = '"><script>alert(1)</script>'
|
|
|
|
with current_app.test_request_context("/"):
|
|
link = str(dash.dashboard_link())
|
|
|
|
# The injected script tag / attribute breakout must be escaped away.
|
|
assert "<script>" not in link
|
|
assert '"><script' not in link
|
|
# The legitimate anchor markup is still present.
|
|
assert link.startswith("<a href=")
|
|
assert "My Dashboard" in link
|
|
|
|
|
|
def test_dashboard_link_renders_plain_slug(app_context: None) -> None:
|
|
"""A normal slug renders a working link under a subdirectory deployment.
|
|
|
|
`dashboard_link` uses `url_for`, which prepends the request's script root
|
|
so the rendered href is correct under both root and `/superset`
|
|
deployments. The test pins the `/superset` shape by passing `base_url`
|
|
with the prefix path — werkzeug derives `SCRIPT_NAME` from the base URL's
|
|
path and the URL adapter then prepends it on `url_for`. Passing
|
|
`environ_base={"SCRIPT_NAME": "/superset"}` alone is not enough: the URL
|
|
adapter is built from the parsed base URL, not raw environ values.
|
|
"""
|
|
dash = Dashboard()
|
|
dash.id = 7
|
|
dash.dashboard_title = "Sales"
|
|
dash.slug = "sales"
|
|
|
|
with current_app.test_request_context("/", base_url="http://localhost/superset/"):
|
|
link = str(dash.dashboard_link())
|
|
|
|
assert "/superset/dashboard/sales/" in link
|
|
assert "Sales" in link
|