fix(plugin-chart-ag-grid-table): validate filter values/operators in state converter

[rusackas]

SUMMARY

stateConversion.ts is the chart-state → ownState converter for the AG Grid table (registered via registerChartStateConverter, used on dashboards/Explore/embedded). It builds SQL filter clauses that are interpolated without quoting, so the inputs need validation. This hardens three spots:

• Number filter values are coerced with Number() and the filter is skipped when the value is not finite (they were previously interpolated as-is, unlike the text branch which already escapes).
• Compound join operators are restricted to AND/OR (normalized to upper case); any other value skips the clause (previously filter.operator was interpolated raw into the join).
• The column-id-keyed clause map is created with Object.create(null) so user-influenced column ids can't reach prototype keys.

This converter previously had no test coverage; this adds the first tests for convertFilterModel covering numeric validation, the operator allowlist, and the null-prototype map.

TESTING INSTRUCTIONS

cd superset-frontend && npx jest plugins/plugin-chart-ag-grid-table/test/stateConversion.test.ts

5/5 pass.

ADDITIONAL INFORMATION

• Has associated issue: n/a
• Changes UI: No
• Includes DB Migration: No
• Introduces new feature or API: No
• Removes existing feature or API: No

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #2c72bd

Actionable Suggestions - 0

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

• superset-frontend/plugins/plugin-chart-ag-grid-table/test/stateConversion.test.ts - 5

  • BITO: Type safety in tests · Line 25-25
  • BITO: Type safety in tests · Line 33-33
  • BITO: Type safety in tests · Line 46-46
  • BITO: Type safety in tests · Line 59-59
  • BITO: Type safety in tests · Line 66-66

Review Details

• Files reviewed - 2 · Commit Range: 2831b57..2831b57

  • superset-frontend/plugins/plugin-chart-ag-grid-table/src/stateConversion.ts
  • superset-frontend/plugins/plugin-chart-ag-grid-table/test/stateConversion.test.ts
• Files skipped - 0
• Tools

  • Eslint (Linter) - ✔︎ Successful
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	eda7371
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1f6d309bfd2300085de906
😎 Deploy Preview	https://deploy-preview-40623--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

Hardens the AG Grid table's chart-state → ownState converter (stateConversion.ts) against SQL injection via unquoted filter values and operators, and adds the first unit tests for convertFilterModel.

Changes:

• Coerce number-filter values via Number() and skip the clause when the result is not finite.
• Restrict compound-filter join operators to AND/OR (upper-cased), skipping the clause otherwise.
• Use Object.create(null) for the column-id → SQL clause map to prevent prototype-key collisions.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
superset-frontend/plugins/plugin-chart-ag-grid-table/src/stateConversion.ts	Validates numeric filter values, allowlists join operators, and uses a null-prototype map for SQL clauses.
superset-frontend/plugins/plugin-chart-ag-grid-table/test/stateConversion.test.ts	New Jest tests covering numeric validation, operator allowlist, and prototype-safe key handling.

[codecov]

Codecov Report

❌ Patch coverage is 78.57143% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.47%. Comparing base (3bbb35e) to head (d844ed4).

Files with missing lines	Patch %	Lines
.../plugin-chart-ag-grid-table/src/stateConversion.ts	78.57%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40623      +/-   ##
==========================================
+ Coverage   63.45%   63.47%   +0.02%     
==========================================
  Files        2662     2662              
  Lines      143254   143260       +6     
  Branches    32941    32943       +2     
==========================================
+ Hits        90899    90941      +42     
+ Misses      50763    50727      -36     
  Partials     1592     1592              

Flag	Coverage Δ
javascript	67.56% <78.57%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bito-code-review]

Bito Automatic Review Skipped – PR Already Merged

Bito scheduled an automatic review for this pull request, but the review was skipped because this PR was merged before the review could be run.
No action is needed if you didn't intend to review it. To get a review, you can type /review in a comment and save it