fix: check type of url before performing string actions (apache#19569)

* ensure url is a string * return url if param is a url (cherry picked from commit aa419b8)
preset-io · Apr 7, 2022 · 6b3cd10 · 6b3cd10
1 parent 953327f
commit 6b3cd10
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 1 deletion.
diff --git a/superset/databases/utils.py b/superset/databases/utils.py
@@ -14,7 +14,7 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, List, Optional, Union
 
 from superset import app
 from superset.models.core import Database
@@ -101,3 +101,23 @@ def get_table_metadata(
         "indexes": keys,
         "comment": table_comment,
     }
+
+
+def make_url_safe(raw_url: Union[str, URL]) -> URL:
+    """
+    Wrapper for SQLAlchemy's make_url(), which tends to raise too detailed of
+    errors, which inevitably find their way into server logs. ArgumentErrors
+    tend to contain usernames and passwords, which makes them non-log-friendly
+    :param raw_url:
+    :return:
+    """
+
+    if isinstance(raw_url, str):
+        url = raw_url.strip()
+        try:
+            return make_url(url)  # noqa
+        except Exception:
+            raise DatabaseInvalidError()  # pylint: disable=raise-missing-from
+
+    else:
+        return raw_url
diff --git a/tests/unit_tests/databases/utils_test.py b/tests/unit_tests/databases/utils_test.py
@@ -0,0 +1,40 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from sqlalchemy.engine.url import make_url
+from sqlalchemy.orm.session import Session
+
+from superset.databases.utils import make_url_safe
+
+
+def test_make_url_safe_string(app_context: None, session: Session) -> None:
+    """
+    Test converting a string to a safe uri
+    """
+    uri_string = "postgresql+psycopg2://superset:***@127.0.0.1:5432/superset"
+    uri_safe = make_url_safe(uri_string)
+    assert str(uri_safe) == uri_string
+    assert uri_safe == make_url(uri_string)
+
+
+def test_make_url_safe_url(app_context: None, session: Session) -> None:
+    """
+    Test converting a url to a safe uri
+    """
+    uri = make_url("postgresql+psycopg2://superset:***@127.0.0.1:5432/superset")
+    uri_safe = make_url_safe(uri)
+    assert uri_safe == uri