Skip to content

fix(dashboard): validate native-filter data requests against filter targets#40979

Merged
sha174n merged 3 commits into
apache:masterfrom
sha174n:fix/native-filter-request-validation
Jun 13, 2026
Merged

fix(dashboard): validate native-filter data requests against filter targets#40979
sha174n merged 3 commits into
apache:masterfrom
sha174n:fix/native-filter-request-validation

Conversation

@sha174n

@sha174n sha174n commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

SUMMARY

A dashboard native-filter data request has no associated chart, so the query_context check that keeps embedded requests aligned with the dashboard was not validating the request's columns/metrics for that path. It now resolves the requesting dashboard's native filter (by native_filter_id) and constrains the request to that filter's targets on the targeted dataset:

  • columns and group-by must reference one of the filter's target columns;
  • metrics and order-by terms must be a target column, the filter's configured sort metric (controlValues.sortMetric), or a simple aggregate over a target column;
  • free-form SQL terms and other saved metrics are rejected, and a request that cannot be tied to a native filter fails closed.

Legitimate value, range (MIN/MAX over the target) and sort-by-metric lookups are unaffected. Row-restricting clauses (filter/extras) are intentionally not constrained here: cross-filters legitimately reference other columns and they return no column values; that surface is shared with the chart path.

TESTING INSTRUCTIONS

pytest tests/unit_tests/security/manager_test.py -k native_filter

New unit tests cover: target column allowed, arbitrary column blocked, simple aggregate over target allowed, configured sort metric allowed, arbitrary saved metric blocked, adhoc column/metric blocked, order-by column/adhoc, and a request with no filter context failing closed.

ADDITIONAL INFORMATION

  • Has associated issue:
  • Changes UI
  • Includes DB Migration
  • Introduces new feature or API
  • Removes existing feature or API

🤖 Generated with Claude Code

@claude
fix(dashboard): validate native-filter data requests against filter t…
fb64e10 
…argets

A dashboard native-filter data request has no associated chart, so the
query_context check previously accepted any payload for it. It now
resolves the requesting dashboard's native filter (by native_filter_id)
and constrains the request to that filter's targets on the targeted
dataset:
- columns and group-by must reference a target column;
- metrics and order-by terms must be a target column, the filter's
  configured sort metric (controlValues.sortMetric), or a simple
  aggregate over a target column;
- free-form SQL terms and other saved metrics are rejected, and a
  request that cannot be tied to a native filter fails closed.

Legitimate value, range (MIN/MAX over target) and sort-by-metric lookups
are unaffected. Row-restricting clauses (filter/extras) are intentionally
not constrained here (cross-filters legitimately reference other columns
and return no column values; that blind-inference surface is shared with
the chart path and tracked separately).

Adds unit coverage for target column, arbitrary column, simple aggregate
over target, configured sort metric, arbitrary saved metric, adhoc
column/metric, order-by column/adhoc, and missing filter context.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 13.11475% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.28%. Comparing base (74845ea) to head (0323f5a).

Files with missing lines Patch % Lines
superset/security/manager.py 13.11% 51 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #40979      +/-   ##
==========================================
- Coverage   64.30%   64.28%   -0.03%     
==========================================
  Files        2657     2657              
  Lines      144060   144120      +60     
  Branches    33216    33235      +19     
==========================================
+ Hits        92641    92642       +1     
- Misses      49797    49852      +55     
- Partials     1622     1626       +4
Flag Coverage Δ
hive 39.41% <6.55%> (-0.03%) ⬇️
mysql 58.14% <13.11%> (-0.05%) ⬇️
postgres 58.21% <13.11%> (-0.05%) ⬇️
presto 41.00% <6.55%> (-0.04%) ⬇️
python 59.68% <13.11%> (-0.05%) ⬇️
sqlite 57.83% <13.11%> (-0.05%) ⬇️
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sha174n and others added 2 commits June 11, 2026 20:05
@sha174n
Merge remote-tracking branch 'upstream/master' into fix/native-filter…
8ea687c 
…-request-validation
@sha174n @claude
fix: scope chartless query-context validation to native-filter requests
0323f5a 
Only constrain chartless data requests identified as native-filter lookups
(by the NATIVE_FILTER type marker or a native_filter_id). Other chartless
paths (drill-to-detail, drill-by, samples) carry neither marker and keep
their prior behavior, validated by the datasource-access checks in
raise_for_access. Extract per-query validation into a helper to keep
query_context_modified within complexity limits.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sha174n sha174n marked this pull request as ready for review June 11, 2026 21:36
@dosubot dosubot Bot added authentication:access-control Rlated to access control dashboard:native-filters Related to the native filters of the Dashboard labels Jun 11, 2026
@bito-code-review

bito-code-review Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #1b3552

Actionable Suggestions - 0
Review Details
  • Files reviewed - 2 · Commit Range: fb64e10..0323f5a
    • superset/security/manager.py
    • tests/unit_tests/security/manager_test.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

rusackas
rusackas approved these changes Jun 12, 2026
View reviewed changes

@rusackas rusackas left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@sha174n sha174n merged commit aa3d2b9 into apache:master Jun 13, 2026
99 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rusackas rusackas rusackas approved these changes

Assignees

No one assigned

Labels

authentication:access-control Rlated to access control dashboard:native-filters Related to the native filters of the Dashboard size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sha174n @rusackas