bito-code-review[bot] commented on PR #38243:
URL: https://github.com/apache/superset/pull/38243#issuecomment-3960773164
<!-- Bito Reply -->
Yes, that's a valid security concern. The current logic allows access if a
parent_slice_id is provided and belongs to the dashboard, but doesn't verify
the child slice_id is legitimately associated with the parent. To address this,
add a check after fetching the parent slice to ensure slice_id is in the
parent's default configuration (e.g., a list of child slice IDs in params).
**superset/security/manager.py**
```
and (
slice_id := (
form_data.get("parent_slice_id")
or form_data.get("slice_id")
)
)
and (
slc := self.session.query(Slice)
.filter(Slice.id == slice_id)
.one_or_none()
)
and slc in dashboard_.slices
and (
# For parent charts, check datasource
directly
# For child charts of multilayer
# parent is already validated
slc.datasource == datasource
or (
form_data.get("parent_slice_id") is not
None
and (
parent_slice_id :=
form_data.get("parent_slice_id"))
and (
parent_slc :=
self.session.query(Slice)
.filter(Slice.id ==
parent_slice_id)
.one_or_none()
)
and parent_slc in dashboard_.slices
and slice_id in
parent_slc.params.get('default_child_slice_ids', [])
)
)
)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
