AKuzyashin opened a new issue, #32677:
URL: https://github.com/apache/superset/issues/32677
> Hello Apache Superset team,
>
> I would like to highlight a potential remaining attack vector involving
the extras.where parameter.
>
> It appears that passing unsanitized user input directly into extras.where
or extras.having (using /api/v1/chart/data ) could allow:
>
> SQL Injection: If the input is interpolated into raw SQL without
parameterization.
> SSTI (Server-Side Template Injection): If the input is processed via
Jinja2 templates without proper sandboxing/validation.
> Example Scenario:
> A malicious actor could craft a WHERE clause like:
>
> `1=1; DELETE FROM your_table; -- `
>
> Or leverage Jinja2 directives (if templates are enabled):
> `{{ 4*'foo' }}`
>
> Let me know if further details or a PoC would be helpful.
>
> @rusackas
_Originally posted by @AKuzyashin in
[#22960](https://github.com/apache/superset/issues/22960#issuecomment-2720254227)_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
