chore: blacklist unsafe functions (apache#19537)

ValtechMobility · Jun 9, 2022 · 12ebf65 · 12ebf65
1 parent 634e5b5
commit 12ebf65
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -49,5 +49,11 @@ repos:
     rev: v2.4.1 # Use the sha or tag you want to point at
     hooks:
       - id: prettier
-        args: ["--ignore-path=./superset-frontend/.prettierignore"]
-        files: "superset-frontend"
+        args: ['--ignore-path=./superset-frontend/.prettierignore']
+        files: 'superset-frontend'
+  # blacklist unsafe functions like make_url (see #19526)
+  - repo: https://github.com/skorokithakis/blacklist-pre-commit-hook
+    rev: e2f070289d8eddcaec0b580d3bde29437e7c8221
+    hooks:
+      - id: blacklist
+        args: ["--blacklisted-names=make_url", "--ignore=tests/"]
diff --git a/superset/databases/utils.py b/superset/databases/utils.py
@@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
     :return:
     """
     try:
-        return make_url(raw_url.strip())
+        return make_url(raw_url.strip())  # noqa
     except Exception:
         raise DatabaseInvalidError()  # pylint: disable=raise-missing-from
diff --git a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
@@ -30,10 +30,10 @@
 
 from alembic import op
 from sqlalchemy import Column, ForeignKey, Integer, Text
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base
 
 from superset import db, db_engine_specs
+from superset.databases.utils import make_url_safe
 from superset.utils.memoized import memoized
 
 Base = declarative_base()
@@ -46,7 +46,7 @@ class Database(Base):
     sqlalchemy_uri = Column(Text)
 
     def grains(self):
-        url = make_url(self.sqlalchemy_uri)
+        url = make_url_safe(self.sqlalchemy_uri)
         backend = url.get_backend_name()
         db_engine_spec = db_engine_specs.engines.get(
             backend, db_engine_specs.BaseEngineSpec

diff --git a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
@@ -31,14 +31,14 @@
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy import and_, inspect, or_
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import backref, relationship, Session
 from sqlalchemy.schema import UniqueConstraint
 from sqlalchemy_utils import UUIDType
 
 from superset import app, db
 from superset.connectors.sqla.models import ADDITIVE_METRIC_TYPES
+from superset.databases.utils import make_url_safe
 from superset.extensions import encrypted_field_factory
 from superset.migrations.shared.utils import extract_table_references
 from superset.models.core import Database as OriginalDatabase
@@ -323,7 +323,7 @@ def after_insert(target: SqlaTable) -> None:  # pylint: disable=too-many-locals
     )
     if not database:
         return
-    url = make_url(database.sqlalchemy_uri)
+    url = make_url_safe(database.sqlalchemy_uri)
     dialect_class = url.get_dialect()
     conditional_quote = dialect_class().identifier_preparer.quote