Skip to content

fix: ensure datasource permission in explore #32679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 18, 2025
Merged

fix: ensure datasource permission in explore #32679

merged 1 commit into from
Mar 18, 2025

Conversation

hxtmdev
Copy link
Contributor

@hxtmdev hxtmdev commented Mar 14, 2025

SUMMARY

Problem: The /explore command does not validate if datasource access is permitted.

Source:

superset/superset/commands/explore/get.py

Line 123 in 15cf066

security_manager.can_access_datasource(datasource)

The intention seems to be to raise_for_access but instead the boolean result is simply discarded.

Result: Metadata about inaccessible datasources is disclosed, including names, can be enumerated through
/explore/?datasource_type=table&datasource_id=COUNTER

TESTING INSTRUCTIONS

open /explore/?datasource_type=table&datasource_id=X with(out) permissions and observe datasource name

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@dosubot dosubot bot added authentication:access-control Rlated to access control explore Namespace | Anything related to Explore labels Mar 14, 2025
korbit-ai[bot]
korbit-ai bot reviewed Mar 14, 2025
View reviewed changes
Copy link

@korbit-ai korbit-ai bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've completed my review and didn't find any issues.

Files scanned
File Path Reviewed
superset/commands/explore/get.py

Explore our documentation to understand the languages and file types we support and the files we ignore.

Need a new review? Comment /korbit-review on this PR and I'll review your latest changes.

Korbit Guide: Usage and Customization

Interacting with Korbit

  • You can manually ask Korbit to review your PR using the /korbit-review command in a comment at the root of your PR.
  • You can ask Korbit to generate a new PR description using the /korbit-generate-pr-description command in any comment on your PR.
  • Too many Korbit comments? I can resolve all my comment threads if you use the /korbit-resolve command in any comment on your PR.
  • On any given comment that Korbit raises on your pull request, you can have a discussion with Korbit by replying to the comment.
  • Help train Korbit to improve your reviews by giving a 👍 or 👎 on the comments Korbit posts.

Customizing Korbit

  • Check out our docs on how you can make Korbit work best for you and your team.
  • Customize Korbit for your organization through the Korbit Console.

Current Korbit Configuration

General Settings
Setting Value
Review Schedule Automatic excluding drafts
Max Issue Count 10
Automatic PR Descriptions
Issue Categories
Category Enabled
Documentation
Logging
Error Handling
Readability
Design
Performance
Security
Functionality

Feedback and Support

Note

Korbit Pro is free for open source projects 🎉

Looking to add Korbit to your team? Get started with a free 2 week trial here

github-actions[bot]
github-actions bot reviewed Mar 14, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congrats on making your first PR and thank you for contributing to Superset! 🎉 ❤️

We hope to see you in our Slack community too! Not signed up? Use our Slack App to self-register.

@hxtmdev
Copy link
Contributor Author

hxtmdev commented Mar 14, 2025

/cc @betodealmeida

@betodealmeida
Copy link
Member

Thank you for the fix, @hxtmdev! ❤️

@codecov Codecov
Copy link

codecov bot commented Mar 14, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.43%. Comparing base (76d897e) to head (7b9a16b).
Report is 1658 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff             @@
##           master   #32679       +/-   ##
===========================================
+ Coverage   60.48%   83.43%   +22.95%     
===========================================
  Files        1931      549     -1382     
  Lines       76236    39424    -36812     
  Branches     8568        0     -8568     
===========================================
- Hits        46114    32895    -13219     
+ Misses      28017     6529    -21488     
+ Partials     2105        0     -2105
Flag Coverage Δ
hive 48.45% <0.00%> (-0.71%) ⬇️
javascript ?
mysql 75.66% <100.00%> (?)
postgres 75.73% <100.00%> (?)
presto 52.93% <0.00%> (-0.87%) ⬇️
python 83.43% <100.00%> (+19.93%) ⬆️
sqlite 75.25% <100.00%> (?)
unit 61.38% <0.00%> (+3.75%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rusackas
Copy link
Member

Happy to merge if you can get it to pass CI :) Thanks for contributing!

@betodealmeida betodealmeida merged commit 9e30529 into apache:master Mar 18, 2025
44 checks passed
@michael-s-molina michael-s-molina added the v5.0 Label added by the release manager to track PRs to be included in the 5.0 branch label Mar 20, 2025
michael-s-molina pushed a commit that referenced this pull request Mar 20, 2025
@hxtmdev @michael-s-molina
fix: ensure datasource permission in explore (#32679)
6917362 
(cherry picked from commit 9e30529)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@korbit-ai korbit-ai[bot] korbit-ai[bot] left review comments

@betodealmeida betodealmeida betodealmeida approved these changes

Assignees
No one assigned
Labels
authentication:access-control Rlated to access control explore Namespace | Anything related to Explore size/XS v5.0 Label added by the release manager to track PRs to be included in the 5.0 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hxtmdev @betodealmeida @rusackas @michael-s-molina