Skip to content

fix: Support JSON keys in dashboard filters #1271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pulpdrew merged 2 commits into from
Oct 16, 2025
Merged

fix: Support JSON keys in dashboard filters #1271

pulpdrew merged 2 commits into from
Oct 16, 2025

Conversation

@pulpdrew
Copy link
Contributor

@pulpdrew pulpdrew commented Oct 15, 2025
edited
Loading

Closes HDX-2607

This PR fixes an error when filtering a dashboard with a JSON (or Dynamic-type) key. Dynamic type values cannot be the LHS of the IN operator, so json.key IN ('value') errors.

To fix, dashboard filter keys are now stringified: toString(json.key) IN ('value'). This fix is applied to all filter keys, regardless of their type, since filter values are always strings as well. The existing query parameter format is retained.

Screen.Recording.2025-10-15.at.4.10.16.PM.mov

@changeset-bot
Copy link

changeset-bot bot commented Oct 15, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 64c99be

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@hyperdx/app Patch
@hyperdx/api Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Oct 15, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
hyperdx-v2-oss-app Ready Ready Preview Comment Oct 15, 2025 8:15pm

@pulpdrew pulpdrew force-pushed the drew/dashboard-filters-json-support branch from ec9365c to 7c44504 Compare October 15, 2025 20:05
@claude
Copy link

claude bot commented Oct 15, 2025
edited
Loading

Pull Request Review: Support JSON Keys in Dashboard Filters

This PR fixes an issue where dashboard filters fail when using JSON/Dynamic-type keys by wrapping filter keys with toString() in ClickHouse queries.

Strengths

  1. Clear problem identification and minimal impact solution
  2. Good test coverage with new unit test
  3. Proper separation of concerns with stringifyKeys option
  4. Good inline documentation

CRITICAL: SQL Injection Vulnerability (HIGH SEVERITY)

The filtersToQuery function in searchFilters.tsx (lines 29-31, 37-39) is vulnerable to SQL injection. Values and keys are directly interpolated into SQL without escaping:

  • Values like value') OR 1=1 -- could break out of string literals
  • Keys with malicious SQL aren't sanitized even with toString() wrapping

MUST FIX BEFORE MERGE: Add proper SQL escaping for both keys and values. Escape single quotes and backslashes at minimum.

Other Issues

  1. parseQuery Behavior: Won't correctly parse queries with toString() wrapping - the key will include the toString() prefix
  2. Missing Tests: Need edge case tests for special characters, quotes, backslashes, unicode
  3. Unrelated Change: Removed type=submit from button in DBDashboardPage.tsx line 1086 - was this intentional?

Recommendations

IMMEDIATE:

  • Fix SQL injection vulnerability
  • Add tests for special characters and injection attempts
  • Clarify the button type change

FUTURE:

  • Create SQL sanitization utility in common-utils
  • Update parseQuery to handle toString()-wrapped keys
  • Add integration tests with ClickHouse

Verdict

DO NOT MERGE - Security issue must be fixed first. Core functionality is well-designed but needs proper input sanitization.

@pulpdrew pulpdrew force-pushed the drew/dashboard-filters-json-support branch from 7c44504 to 64c99be Compare October 15, 2025 20:12
@github-actions
Copy link
Contributor

github-actions bot commented Oct 15, 2025
edited
Loading

E2E Test Results

All tests passed • 25 passed • 3 skipped • 229s

Status Count
✅ Passed 25
❌ Failed 0
⚠️ Flaky 0
⏭️ Skipped 3

View full report →

pulpdrew
pulpdrew commented Oct 15, 2025
View reviewed changes
packages/app/src/DBDashboardPage.tsx
<Tooltip withArrow label="Edit Filters" fz="xs" color="gray">
<Button
variant="outline"
type="submit"
Copy link
Contributor Author

@pulpdrew pulpdrew Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes another issue I noticed - hitting enter anywhere in the dashboard form would open the filters modal.

@pulpdrew pulpdrew requested review from a team and dhable and removed request for a team October 15, 2025 20:28
@pulpdrew pulpdrew merged commit 2d27fe2 into main Oct 16, 2025
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhable dhable dhable approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pulpdrew @dhable