fix(database): extend shillelagh URI pattern to cover all driver variants

[sha174n]

SUMMARY

The shillelagh URI blocklist in analytics_db_safety.py used two separate patterns (shillelagh$ and shillelagh\+apsw$) that only matched the bare driver and one specific variant. Other driver suffixes such as +csv, +json, and +gsheets were not matched, allowing those URIs to bypass the blocklist check.

This PR replaces both patterns with a single regex shillelagh(?:\+[^\s]*)?$ that blocks shillelagh regardless of the driver suffix, consistent with how the existing sqlite pattern already handles all its variants via sqlite(?:\+[^\s]*)?$.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — backend-only change.

TESTING INSTRUCTIONS

1. Run the updated integration test:

   pytest tests/integration_tests/security/analytics_db_safety_tests.py -v

   All 15 test cases should pass, including the new shillelagh+csv, shillelagh+json, and shillelagh+gsheets variants.

2. Attempt to create a database connection with sqlalchemy_uri: shillelagh+csv:///etc/passwd via the API — should return a 422 error, not 201.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Code Review Agent Run #b8d2bb

Actionable Suggestions - 0

Review Details

• Files reviewed - 2 · Commit Range: 9cf70ba..9cf70ba

  • superset/security/analytics_db_safety.py
  • tests/integration_tests/security/analytics_db_safety_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.83%. Comparing base (f67dd4a) to head (9cf70ba).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #39995   +/-   ##
=======================================
  Coverage   63.83%   63.83%           
=======================================
  Files        2589     2589           
  Lines      137821   137821           
  Branches    31928    31928           
=======================================
  Hits        87978    87978           
  Misses      48327    48327           
  Partials     1516     1516           

Flag	Coverage Δ
hive	39.36% <ø> (ø)
mysql	59.01% <ø> (ø)
postgres	59.09% <ø> (ø)
presto	41.06% <ø> (ø)
python	60.53% <ø> (ø)
sqlite	58.73% <ø> (ø)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.