fix(dashboard): URL-encode native_filters in permalink redirect

[rusackas]

SUMMARY

dashboard_permalink (superset/views/core.py) concatenated the native_filters URL-param value into the redirect URL without URL-encoding, while every other param went through parse.urlencode. The code even had a comment "native_filters doesnt need to be encoded here." A permalink whose stored native_filters value contained &/#/= could therefore inject additional query parameters into the redirect target, altering the dashboard filter state shown to a victim who opens the permalink (ASVS 1.2.2).

Fix: encode all param values uniformly via parse.urlencode. Flask URL-decodes them back when reading request.args, so legitimate native_filters values render identically — the encoding is transparent for valid input and only neutralizes injection.

TESTING INSTRUCTIONS

pytest tests/integration_tests/dashboards/permalink/api_tests.py

A permalink whose native_filters value contains special characters now appears percent-encoded in the redirect Location (no extra params injected).

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration
• Introduces new feature or API
• Removes existing feature or API

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #5addcd

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: e1d94c0..e1d94c0

  • superset/views/core.py
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • MyPy (Static Code Analysis) - ✔︎ Successful
  • Astral Ruff (Static Code Analysis) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	e1d94c0
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1e2c0473a6a90008ca9572
😎 Deploy Preview	https://deploy-preview-40660--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.81%. Comparing base (a183582) to head (e1d94c0).
⚠️ Report is 178 commits behind head on master.

Files with missing lines	Patch %	Lines
superset/views/core.py	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #40660      +/-   ##
==========================================
- Coverage   64.18%   63.81%   -0.38%     
==========================================
  Files        2591     2651      +60     
  Lines      138471   142151    +3680     
  Branches    32120    32565     +445     
==========================================
+ Hits        88883    90712    +1829     
- Misses      48056    49876    +1820     
- Partials     1532     1563      +31     

Flag	Coverage Δ
hive	39.76% <0.00%> (+0.35%)	⬆️
mysql	58.40% <0.00%> (-0.66%)	⬇️
postgres	58.48% <0.00%> (-0.66%)	⬇️
presto	41.36% <0.00%> (+0.27%)	⬆️
python	59.96% <0.00%> (-0.61%)	⬇️
sqlite	58.13% <0.00%> (-0.64%)	⬇️
unit	100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR hardens the dashboard_permalink redirect in Superset’s backend (superset/views/core.py) by ensuring permalink-provided dashboard URL parameters are safely URL-encoded, preventing query-parameter injection via specially crafted native_filters values.

Changes:

• Removed the native_filters special-case concatenation in dashboard_permalink.
• URL-encode all state.urlParams entries uniformly using urllib.parse.urlencode.
• Added clarifying inline comments explaining the injection risk and decoding behavior.

[rusackas]

Good call on the test coverage gap. The existing integration test suite for permalink redirects is in tests/integration_tests/core_tests.py. Adding a parametrized test covering reserved characters in native_filters values is a worthwhile follow-up, but out of scope for this focused fix. Will track separately.

[bito-code-review]

The provided pr_comments.csv file appears to be empty or contains only a header row with no actual comment data. As a result, I cannot provide specific information about actionable suggestions, discussions, or related comments. Please ensure the file contains the expected review comments for analysis.