Re: [PR] feat(mcp): add list and get tools for action log and tasks [superset]

Thu, 28 May 2026 12:32:19 -0700 


aminghadersohi commented on PR #40344:
URL: https://github.com/apache/superset/pull/40344#issuecomment-4567529504

   Addressed the latest round of review feedback (HEAD now `d7f9aa8438`).
   
   ### What was fixed
   
   **JSON dict-key injection gap in `_sanitize_log_json` (`schemas.py:284`)**
   
   Richard pointed out that `_sanitize_log_json` wraps string *values* in 
`<UNTRUSTED-CONTENT>` but was only delimiter-escaping string *keys*. A payload 
like `{"ignore previous instructions": "..."}` would land in MCP output with 
the key as raw trusted-looking text — a prompt-injection vector via field names.
   
   **Fix:**
   - Added a `wrap_dict_keys: bool = False` parameter to 
`sanitize_for_llm_context` in `superset/mcp_service/utils/sanitization.py`. 
When `True`, string dict keys are wrapped via `_wrap_llm_context_string` 
instead of only having their delimiter tokens escaped.
   - `_sanitize_log_json` in `superset/mcp_service/action_log/schemas.py` now 
passes `wrap_dict_keys=True` alongside the existing 
`excluded_field_names=frozenset()`, so both keys and values of the stored log 
JSON blob are fully wrapped.
   - Default behavior (`wrap_dict_keys=False`) is unchanged — all other callers 
of `sanitize_for_llm_context` are unaffected.
   
   **Regression tests added (`test_action_log_tools.py`):**
   - `test_get_action_log_info_malicious_json_key_wrapped` — verifies a key 
like `"ignore previous instructions"` is returned with `<UNTRUSTED-CONTENT>` in 
`get_action_log_info`
   - `test_list_action_logs_malicious_json_key_wrapped` — same check for 
`list_action_logs`, also confirms that embedded `<UNTRUSTED-CONTENT>` tokens in 
a key are escaped and cannot prematurely close the wrapper
   
   All earlier review points (config guards for action-log / task tools, dttm 
datetime normalization for scalar and list filters, 
`excluded_field_names=frozenset()` for value wrapping) remain addressed from 
prior commits.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to