mirror of https://github.com/apache/superset.git
fix(chart-data-api): ignore missing filters (#11112)
This commit is contained in:
parent
fa5dab85c4
commit
ada66e30dd
|
@ -237,7 +237,6 @@ class QueryContext:
|
||||||
col
|
col
|
||||||
for col in query_obj.columns
|
for col in query_obj.columns
|
||||||
+ query_obj.groupby
|
+ query_obj.groupby
|
||||||
+ [flt["col"] for flt in query_obj.filter]
|
|
||||||
+ utils.get_column_names_from_metrics(query_obj.metrics)
|
+ utils.get_column_names_from_metrics(query_obj.metrics)
|
||||||
if col not in self.datasource.column_names
|
if col not in self.datasource.column_names
|
||||||
]
|
]
|
||||||
|
|
|
@ -855,6 +855,22 @@ class TestChartApi(SupersetTestCase, ApiOwnersTestCaseMixin):
|
||||||
self.assertIn("sum__num__yhat_lower", row)
|
self.assertIn("sum__num__yhat_lower", row)
|
||||||
self.assertEqual(result["rowcount"], 47)
|
self.assertEqual(result["rowcount"], 47)
|
||||||
|
|
||||||
|
def test_chart_data_query_missing_filter(self):
|
||||||
|
"""
|
||||||
|
Chart data API: Ensure filter referencing missing column is ignored
|
||||||
|
"""
|
||||||
|
self.login(username="admin")
|
||||||
|
table = self.get_table_by_name("birth_names")
|
||||||
|
request_payload = get_query_context(table.name, table.id, table.type)
|
||||||
|
request_payload["queries"][0]["filters"] = [
|
||||||
|
{"col": "non_existent_filter", "op": "==", "val": "foo"},
|
||||||
|
]
|
||||||
|
request_payload["result_type"] = utils.ChartDataResultType.QUERY
|
||||||
|
rv = self.post_assert_metric(CHART_DATA_URI, request_payload, "data")
|
||||||
|
self.assertEqual(rv.status_code, 200)
|
||||||
|
response_payload = json.loads(rv.data.decode("utf-8"))
|
||||||
|
assert "non_existent_filter" not in response_payload["result"][0]["query"]
|
||||||
|
|
||||||
def test_chart_data_no_data(self):
|
def test_chart_data_no_data(self):
|
||||||
"""
|
"""
|
||||||
Chart data API: Test chart data with empty result
|
Chart data API: Test chart data with empty result
|
||||||
|
|
|
@ -211,23 +211,6 @@ class TestQueryContext(SupersetTestCase):
|
||||||
query_payload = query_context.get_payload()
|
query_payload = query_context.get_payload()
|
||||||
assert query_payload[0].get("error") is not None
|
assert query_payload[0].get("error") is not None
|
||||||
|
|
||||||
def test_sql_injection_via_filters(self):
|
|
||||||
"""
|
|
||||||
Ensure that calling invalid columns names in filters are caught
|
|
||||||
"""
|
|
||||||
self.login(username="admin")
|
|
||||||
table_name = "birth_names"
|
|
||||||
table = self.get_table_by_name(table_name)
|
|
||||||
payload = get_query_context(table.name, table.id, table.type)
|
|
||||||
payload["queries"][0]["groupby"] = ["name"]
|
|
||||||
payload["queries"][0]["metrics"] = []
|
|
||||||
payload["queries"][0]["filters"] = [
|
|
||||||
{"col": "*", "op": FilterOperator.EQUALS.value, "val": ";"}
|
|
||||||
]
|
|
||||||
query_context = ChartDataQueryContextSchema().load(payload)
|
|
||||||
query_payload = query_context.get_payload()
|
|
||||||
assert query_payload[0].get("error") is not None
|
|
||||||
|
|
||||||
def test_sql_injection_via_metrics(self):
|
def test_sql_injection_via_metrics(self):
|
||||||
"""
|
"""
|
||||||
Ensure that calling invalid columns names in filters are caught
|
Ensure that calling invalid columns names in filters are caught
|
||||||
|
|
Loading…
Reference in New Issue