dosubot[bot] commented on issue #32677: URL: https://github.com/apache/superset/issues/32677#issuecomment-2725068257
<!-- Greeting --> Hello @AKuzyashin! I'm here to help you with any bugs, questions, or contributions you may have. Let's tackle this together while we wait for a human maintainer. <!-- Answer --> User input for the `extras.where` and `extras.having` parameters in the `/api/v1/chart/data` endpoint is currently being sanitized using a function called `sanitize_clause`. This function ensures that any potentially unsafe input is cleaned before being used in the query by validating that the clause contains only a single SQL statement, checking for improperly closed or opened multiline comments, ensuring all parentheses are properly matched, and verifying that comment lines end correctly <sup>[[1]](https://github.com/apache/superset/blob/master/superset/viz.py)</sup><sup>[[2]](https://github.com/apache/superset/blob/master/superset/sql_parse.py)</sup>. Additionally, Apache Superset uses a `SandboxedEnvironment` from Jinja2 to handle and execute Jinja2 templates, providing a sandboxed execution environment to restrict potentially harmful operations <sup>[[3]](https://github.com/apache/superset/blob/master/tests/unit_tests/jinja_context_test.py)</sup>. If there are concerns about specific vulnerabilities or attack vectors, it might be beneficial to review the current sanitization and sandboxing mechanisms to ensure they are robust against such threats. <!-- Dosu Comment Footer --> *To continue talking to [Dosu](https://dosu.dev), mention @dosu.* --- <sup>Help Dosu learn! Give it feedback: [Great Response](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=great_response) | [Irrelevant Answer](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=irrelevant_answer) | [Incorrect Sources](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=incorrect_sources) | [Too Verbose](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=hallucination) | [Bug Report](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/ccf5aa31-8862-4ba1-a3ca-d272a6591a58?feedback_type=other)</sup> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
