Hi all,
(Apologies if you have written somewhere how to write code snippets and I
haven’t read it.)
I’m working on the issue in the subject (the website lgtm.com found some issues
with the projects, 5 of which are considered “Errors”). I have 2 questions.
The first error I’m tackling has to do with a possible malicious redirect:
```
if has_access:
return redirect('/superset/dashboard/{}'.format(dashboard_id))
```
Where the `dashboard_id` comes from the user input:
```
def request_access(self):
datasources = set()
dashboard_id = request.args.get('dashboard_id')
if dashboard_id:
dash = (
```
One way to deal with that is to verify that the `dashboard_id` is a number
(maybe between 0 and some_max_value). Question 1: Are there
existing/standardized ways in the project to deal with this kind of issue?
Question 2: I’m trying to write a unit test to expose this functionality. I’ve
written very naively:
```
def test_dashboard_endpoint_malicious_redirect(self):
resp = self.get_resp(
'/login/',
data=dict(username='admin', password='general'))
self.assertNotIn('User confirmation needed', resp)
resp = self.get_resp('/request_access?dashboard_id=0')
assert resp.status_code == 404
```
and I was expecting the function request_access to be called with a
dashboard_id equal to 0, but that doesn’t seem to be the case. What other unit
test can I use as an example?
All the best,
Gianluca Ciccarelli
Data Engineer @ Bolt
