This is an automated email from the ASF dual-hosted git repository. michaelsmolina pushed a commit to branch 5.0-pulse in repository https://gitbox.apache.org/repos/asf/superset.git
commit edbeadd2491c02325a9ea668a7e8ff421d1276b8 Author: sha174n <[email protected]> AuthorDate: Fri Jul 25 00:36:32 2025 +0100 fix: enhance disallowed SQL functions list for improved security (#33084) (cherry picked from commit 7f44992c4b686f3439a51819c34b463f04911cd6) --- superset/commands/dataset/update.py | 2 +- superset/config.py | 87 +++++++++++++++++++++++++++++++++++-- 2 files changed, 84 insertions(+), 5 deletions(-) diff --git a/superset/commands/dataset/update.py b/superset/commands/dataset/update.py index 4900b0caac..ad9f1f3c4d 100644 --- a/superset/commands/dataset/update.py +++ b/superset/commands/dataset/update.py @@ -79,7 +79,7 @@ class UpdateDatasetCommand(UpdateMixin, BaseCommand): assert self._model return DatasetDAO.update(self._model, attributes=self._properties) - def validate(self) -> None: + def validate(self) -> None: # noqa: C901 exceptions: list[ValidationError] = [] owner_ids: Optional[list[int]] = self._properties.get("owners") diff --git a/superset/config.py b/superset/config.py index bc3841d23f..cd33946a09 100644 --- a/superset/config.py +++ b/superset/config.py @@ -1351,18 +1351,97 @@ DB_SQLA_URI_VALIDATOR: Callable[[URL], None] | None = None # unsafe SQL functions in SQL Lab and Charts. The keys of the dictionary are the engine # names, and the values are sets of disallowed functions. DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = { + # PostgreSQL functions that could reveal sensitive information "postgresql": { - "database_to_xml", + # System information functions + "current_database", + "current_schema", + "current_user", + "session_user", + "current_setting", + "version", + # Network/server information functions "inet_client_addr", + "inet_client_port", "inet_server_addr", + "inet_server_port", + # File system functions + "pg_read_file", + "pg_ls_dir", + "pg_read_binary_file", + # XML functions that can execute SQL + "database_to_xml", + "database_to_xmlschema", "query_to_xml", - "query_to_xml_and_xmlschema", + "query_to_xmlschema", "table_to_xml", "table_to_xml_and_xmlschema", + "query_to_xml_and_xmlschema", + "table_to_xmlschema", + # Other potentially dangerous functions + "pg_sleep", + "pg_terminate_backend", + }, + # MySQL functions and variables that could reveal sensitive information + "mysql": { + # Functions + "database", + "schema", + "current_user", + "session_user", + "system_user", + "user", + "version", + "connection_id", + "load_file", + "sleep", + "benchmark", + "kill", + }, + # SQLite functions that could reveal sensitive information + "sqlite": { + "sqlite_version", + "sqlite_source_id", + "sqlite_offset", + "sqlite_compileoption_used", + "sqlite_compileoption_get", + "load_extension", + }, + # Microsoft SQL Server functions + "mssql": { + "db_name", + "suser_sname", + "user_name", + "host_name", + "host_id", + "suser_id", + "system_user", + "current_user", + "original_login", + "xp_cmdshell", + "xp_regread", + "xp_fileexist", + "xp_dirtree", + "serverproperty", + "is_srvrolemember", + "has_dbaccess", + "fn_virtualfilestats", + "fn_servershareddrives", + }, + # Clickhouse functions + "clickhouse": { + "currentUser", + "currentDatabase", + "hostName", + "currentRoles", "version", + "buildID", + "url", + "filesystemPath", + "getOSInformation", + "getMacro", + "getSetting", }, - "clickhouse": {"url", "version", "currentDatabase", "hostName"}, - "mysql": {"version"}, }
