Re: [PR] feat(mcp): support unsaved state in Explore and Dashboard tools [superset]

Thu, 05 Feb 2026 11:40:13 -0800 


bito-code-review[bot] commented on code in PR #37183:
URL: https://github.com/apache/superset/pull/37183#discussion_r2770830920


##########
superset/mcp_service/dashboard/tool/get_dashboard_info.py:
##########
@@ -71,14 +110,57 @@ async def get_dashboard_info(
         result = tool.run_tool(request.identifier)
 
         if isinstance(result, DashboardInfo):
+            # If permalink_key is provided, retrieve filter state
+            if request.permalink_key:
+                await ctx.info(
+                    "Retrieving filter state from permalink: permalink_key=%s"
+                    % (request.permalink_key,)
+                )
+                permalink_value = _get_permalink_state(request.permalink_key)
+
+                if permalink_value:
+                    # Verify the permalink belongs to the requested dashboard
+                    permalink_dashboard_id = permalink_value.get("dashboardId")
+                    if (
+                        isinstance(permalink_dashboard_id, int)
+                        and permalink_dashboard_id != result.id
+                    ):
+                        await ctx.warning(
+                            "permalink_key dashboardId (%s) does not match "
+                            "requested dashboard id (%s); ignoring permalink "
+                            "filter state." % (permalink_dashboard_id, 
result.id)
+                        )

Review Comment:
   <div>
   
   
   <div id="suggestion">
   <div id="issue"><b>Incomplete Permalink Verification</b></div>
   <div id="fix">
   
   The added verification only checks if permalink_dashboard_id is an integer 
and matches result.id, but since dashboardId is typed as str (UUID), this check 
never triggers. This leaves a security gap where a permalink from one dashboard 
could be applied to another if the value is tampered with or misconfigured. 
Consider always verifying the permalink's dashboard matches the requested one.
   </div>
   
   
   </div>
   
   
   
   
   <small><i>Code Review Run #84d967</i></small>
   </div>
   
   ---
   Should Bito avoid suggestions like this for future reviews? (<a 
href=https://alpha.bito.ai/home/ai-agents/review-rules>Manage Rules</a>)
   - [ ] Yes, avoid them



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to