(superset) 01/37: fix: enhance disallowed SQL functions list for improved security (#33084)

Tue, 20 Jan 2026 11:04:03 -0800 

This is an automated email from the ASF dual-hosted git repository.

elizabeth pushed a commit to branch elizabeth/fix-resize-bug
in repository https://gitbox.apache.org/repos/asf/superset.git

commit 97bd294ac4347a2211bdbb56e001940233a0fffc
Author: sha174n <[email protected]>
AuthorDate: Fri Jul 25 00:36:32 2025 +0100

    fix: enhance disallowed SQL functions list for improved security (#33084)
---
 UPDATING.md        |  1 +
 superset/config.py | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/UPDATING.md b/UPDATING.md
index 476facc026..de26c5ba2a 100644
--- a/UPDATING.md
+++ b/UPDATING.md
@@ -23,6 +23,7 @@ This file documents any backwards-incompatible changes in 
Superset and
 assists people when migrating to a new version.
 
 ## Next
+- [33084](https://github.com/apache/superset/pull/33084) The 
DISALLOWED_SQL_FUNCTIONS configuration now includes additional potentially 
sensitive database functions across PostgreSQL, MySQL, SQLite, MS SQL Server, 
and ClickHouse. Existing queries using these functions may now be blocked. 
Review your SQL Lab queries and dashboards if you encounter "disallowed 
function" errors after upgrading
 - [34235](https://github.com/apache/superset/pull/34235) CSV exports now use 
`utf-8-sig` encoding by default to include a UTF-8 BOM, improving compatibility 
with Excel.
 - [34258](https://github.com/apache/superset/pull/34258) changing the default 
in Dockerfile to INCLUDE_CHROMIUM="false" (from "true") in the past. This 
ensures the `lean` layer is lean by default, and people can opt-in to the 
`chromium` layer by setting the build arg `INCLUDE_CHROMIUM=true`. This is a 
breaking change for anyone using the `lean` layer, as it will no longer include 
Chromium by default.
 - [34204](https://github.com/apache/superset/pull/33603) OpenStreetView has 
been promoted as the new default for Deck.gl visualization since it can be 
enabled by default without requiring an API key. If you have Mapbox set up and 
want to disable OpenStreeView in your environment, please follow the steps 
documented here [https://superset.apache.org/docs/configuration/map-tiles].
diff --git a/superset/config.py b/superset/config.py
index b0a1e3b7f3..9d6f8244ec 100644
--- a/superset/config.py
+++ b/superset/config.py
@@ -1458,18 +1458,97 @@ DB_SQLA_URI_VALIDATOR: Callable[[URL], None] | None = 
None
 # unsafe SQL functions in SQL Lab and Charts. The keys of the dictionary are 
the engine
 # names, and the values are sets of disallowed functions.
 DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = {
+    # PostgreSQL functions that could reveal sensitive information
     "postgresql": {
-        "database_to_xml",
+        # System information functions
+        "current_database",
+        "current_schema",
+        "current_user",
+        "session_user",
+        "current_setting",
+        "version",
+        # Network/server information functions
         "inet_client_addr",
+        "inet_client_port",
         "inet_server_addr",
+        "inet_server_port",
+        # File system functions
+        "pg_read_file",
+        "pg_ls_dir",
+        "pg_read_binary_file",
+        # XML functions that can execute SQL
+        "database_to_xml",
+        "database_to_xmlschema",
         "query_to_xml",
-        "query_to_xml_and_xmlschema",
+        "query_to_xmlschema",
         "table_to_xml",
         "table_to_xml_and_xmlschema",
+        "query_to_xml_and_xmlschema",
+        "table_to_xmlschema",
+        # Other potentially dangerous functions
+        "pg_sleep",
+        "pg_terminate_backend",
+    },
+    # MySQL functions and variables that could reveal sensitive information
+    "mysql": {
+        # Functions
+        "database",
+        "schema",
+        "current_user",
+        "session_user",
+        "system_user",
+        "user",
+        "version",
+        "connection_id",
+        "load_file",
+        "sleep",
+        "benchmark",
+        "kill",
+    },
+    # SQLite functions that could reveal sensitive information
+    "sqlite": {
+        "sqlite_version",
+        "sqlite_source_id",
+        "sqlite_offset",
+        "sqlite_compileoption_used",
+        "sqlite_compileoption_get",
+        "load_extension",
+    },
+    # Microsoft SQL Server functions
+    "mssql": {
+        "db_name",
+        "suser_sname",
+        "user_name",
+        "host_name",
+        "host_id",
+        "suser_id",
+        "system_user",
+        "current_user",
+        "original_login",
+        "xp_cmdshell",
+        "xp_regread",
+        "xp_fileexist",
+        "xp_dirtree",
+        "serverproperty",
+        "is_srvrolemember",
+        "has_dbaccess",
+        "fn_virtualfilestats",
+        "fn_servershareddrives",
+    },
+    # Clickhouse functions
+    "clickhouse": {
+        "currentUser",
+        "currentDatabase",
+        "hostName",
+        "currentRoles",
         "version",
+        "buildID",
+        "url",
+        "filesystemPath",
+        "getOSInformation",
+        "getMacro",
+        "getSetting",
     },
-    "clickhouse": {"url", "version", "currentDatabase", "hostName"},
-    "mysql": {"version"},
 }

Reply via email to