fix: set charset via content_type to avoid malformed Content-Type headers

[rusackas]

SUMMARY

Two Content-Type construction issues (CWE-116 / ASVS 4.1.1):

1. Streaming CSV export (superset/charts/data/api.py) passed mimetype=f"text/csv; charset={encoding}" to Flask's Response. Werkzeug appends its own default charset to the mimetype value, producing a doubled, malformed header — Content-Type: text/csv; charset=utf-8; charset=utf-8. Switched to content_type=, which is used verbatim. (Reproduced on the pinned Werkzeug 3.x.)
2. json_success and BaseSupersetView.json_response (superset/views/base.py) returned application/json with no charset, inconsistent with _send_chart_response. Set content_type="application/json; charset=utf-8".

Updated the one test that asserted the exact application/json content type.

(Note: the related FINDING-024 — X-Content-Type-Options: nosniff on chart screenshots — is not included: Flask-Talisman already sets that header globally, so it's a false positive.)

TESTING INSTRUCTIONS

pytest tests/integration_tests/charts/api_tests.py -k get_data_no_query_context

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #8ca439

Actionable Suggestions - 0

Additional Suggestions - 1

• tests/integration_tests/charts/api_tests.py - 1

  • Test assertion corrected · Line 1768-1768
    This change aligns the test assertion with the actual backend response. The `json_response` method in `superset/views/base.py:220` explicitly sets `content_type='application/json; charset=utf-8'`, so the test was previously asserting an incorrect value that would have failed.

Review Details

• Files reviewed - 3 · Commit Range: 49e590d..49e590d

  • superset/charts/data/api.py
  • superset/views/base.py
  • tests/integration_tests/charts/api_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	be4d2ae
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1ff4ca6d10b00008a5bac1
😎 Deploy Preview	https://deploy-preview-40658--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[bito-code-review]

This question isn’t related to the pull request. I can only help with questions about the PR’s code or comments.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.08%. Comparing base (b9dc9d7) to head (be4d2ae).

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #40658   +/-   ##
=======================================
  Coverage   64.08%   64.08%           
=======================================
  Files        2663     2663           
  Lines      143289   143289           
  Branches    32952    32952           
=======================================
  Hits        91832    91832           
  Misses      49871    49871           
  Partials     1586     1586           

Flag	Coverage Δ
hive	39.79% <100.00%> (ø)
mysql	58.47% <100.00%> (ø)
postgres	58.55% <100.00%> (ø)
presto	41.39% <100.00%> (ø)
python	60.03% <100.00%> (ø)
sqlite	58.16% <100.00%> (ø)
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR standardizes and corrects Content-Type header construction in Superset responses to avoid malformed/doubled charset parameters and to consistently include charset=utf-8 for JSON responses.

Changes:

• Switch streaming CSV export to use Response(content_type=...) instead of mimetype=... to avoid Werkzeug producing doubled charset parameters.
• Update json_success and BaseSupersetView.json_response to return application/json; charset=utf-8.
• Update an integration test assertion to match the new JSON Content-Type.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
superset/charts/data/api.py	Uses content_type for streaming CSV export to prevent malformed Content-Type headers.
superset/views/base.py	Sets JSON responses to application/json; charset=utf-8 via content_type.
tests/integration_tests/charts/api_tests.py	Updates expected JSON Content-Type in an integration test.

[bito-code-review]

Code Review Agent Run #d9035e

Actionable Suggestions - 1

• superset/charts/data/api.py - 1

  • CWE-73: Filename Sanitization Correct · Line 620-620

Additional Suggestions - 1

• superset/charts/data/api.py - 1

  • DATA_MANIPULATION: Unused parameter · Line 620-621
    `expected_rows` is extracted at line 624-629 and logged at line 734, but never passed to or used by `StreamingCSVExportCommand`. Verify if this is intentional (informational logging only) or if it should be plumbed through to the command for future features like progress estimation.
    Code suggestion

    --- a/superset/charts/data/api.py
    +++ b/superset/charts/data/api.py
     @@ -623,8 +623,11 @@ class ChartDataRestApi(BaseChartDataRestApi):
              expected_rows = None
              if expected_rows_str := request.form.get("expected_rows"):
                  try:
                      expected_rows = int(expected_rows_str)
    -                logger.info("FRONTEND PROVIDED EXPECTED ROWS: %d", expected_rows)
    +                if expected_rows > 0:
    +                    logger.info("FRONTEND PROVIDED EXPECTED ROWS: %d", expected_rows)
    +                else:
    +                    expected_rows = None  # Ignore non-positive values
                  except (ValueError, TypeError):
                      logger.warning("Invalid expected_rows value: %s", expected_rows_str)
     

Review Details

• Files reviewed - 1 · Commit Range: 49e590d..2b32dc7

  • superset/charts/data/api.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #6168d8

Actionable Suggestions - 0

Review Details

• Files reviewed - 3 · Commit Range: be4d2ae..be4d2ae

  • superset/charts/data/api.py
  • superset/views/base.py
  • tests/integration_tests/charts/api_tests.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by