chore: blacklist unsafe functions (#19537)

2022-04-05 14:55:30 -07:00 · 2022-04-05 14:55:30 -07:00 · 1b4d8ddf71
parent 3f7b768c5b
commit 1b4d8ddf71
4 changed files with 11 additions and 5 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -51,3 +51,9 @@ repos:
      - id: prettier
        args: ['--ignore-path=./superset-frontend/.prettierignore']
        files: 'superset-frontend'
+  # blacklist unsafe functions like make_url (see #19526)
+  - repo: https://github.com/skorokithakis/blacklist-pre-commit-hook
+    rev: e2f070289d8eddcaec0b580d3bde29437e7c8221
+    hooks:
+      - id: blacklist
+        args: ["--blacklisted-names=make_url", "--ignore=tests/"]
--- a/superset/databases/utils.py
+++ b/superset/databases/utils.py
@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL:
    :return:
    """
    try:
-        return make_url(raw_url.strip())
+        return make_url(raw_url.strip())  # noqa
    except Exception:
        raise DatabaseInvalidError()  # pylint: disable=raise-missing-from
--- a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
+++ b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py
@ -30,10 +30,10 @@ import json

 from alembic import op
 from sqlalchemy import Column, ForeignKey, Integer, Text
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base

 from superset import db, db_engine_specs
+from superset.databases.utils import make_url_safe
 from superset.utils.memoized import memoized

 Base = declarative_base()
@ -46,7 +46,7 @@ class Database(Base):
    sqlalchemy_uri = Column(Text)

    def grains(self):
-        url = make_url(self.sqlalchemy_uri)
+        url = make_url_safe(self.sqlalchemy_uri)
        backend = url.get_backend_name()
        db_engine_spec = db_engine_specs.engines.get(
            backend, db_engine_specs.BaseEngineSpec
--- a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
+++ b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py
@ -31,7 +31,6 @@ from uuid import uuid4
 import sqlalchemy as sa
 from alembic import op
 from sqlalchemy import and_, inspect, or_
-from sqlalchemy.engine.url import make_url
 from sqlalchemy.ext.declarative import declarative_base
 from sqlalchemy.orm import backref, relationship, Session
 from sqlalchemy.schema import UniqueConstraint
@ -39,6 +38,7 @@ from sqlalchemy_utils import UUIDType

 from superset import app, db
 from superset.connectors.sqla.models import ADDITIVE_METRIC_TYPES
+from superset.databases.utils import make_url_safe
 from superset.extensions import encrypted_field_factory
 from superset.migrations.shared.utils import extract_table_references
 from superset.models.core import Database as OriginalDatabase
@ -323,7 +323,7 @@ def after_insert(target: SqlaTable) -> None:  # pylint: disable=too-many-locals
    )
    if not database:
        return
-    url = make_url(database.sqlalchemy_uri)
+    url = make_url_safe(database.sqlalchemy_uri)
    dialect_class = url.get_dialect()
    conditional_quote = dialect_class().identifier_preparer.quote