diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2429a0153f009..b43e10c2cb784 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -51,3 +51,9 @@ repos: - id: prettier args: ['--ignore-path=./superset-frontend/.prettierignore'] files: 'superset-frontend' + # blacklist unsafe functions like make_url (see #19526) + - repo: https://github.com/skorokithakis/blacklist-pre-commit-hook + rev: e2f070289d8eddcaec0b580d3bde29437e7c8221 + hooks: + - id: blacklist + args: ["--blacklisted-names=make_url", "--ignore=tests/"] diff --git a/superset/databases/utils.py b/superset/databases/utils.py index cf54f6da6aecf..5d22e5fe5c914 100644 --- a/superset/databases/utils.py +++ b/superset/databases/utils.py @@ -113,6 +113,6 @@ def make_url_safe(raw_url: str) -> URL: :return: """ try: - return make_url(raw_url.strip()) + return make_url(raw_url.strip()) # noqa except Exception: raise DatabaseInvalidError() # pylint: disable=raise-missing-from diff --git a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py index 560b6106f4921..97bea8f9d142e 100644 --- a/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py +++ b/superset/migrations/versions/620241d1153f_update_time_grain_sqla.py @@ -30,10 +30,10 @@ from alembic import op from sqlalchemy import Column, ForeignKey, Integer, Text -from sqlalchemy.engine.url import make_url from sqlalchemy.ext.declarative import declarative_base from superset import db, db_engine_specs +from superset.databases.utils import make_url_safe from superset.utils.memoized import memoized Base = declarative_base() @@ -46,7 +46,7 @@ class Database(Base): sqlalchemy_uri = Column(Text) def grains(self): - url = make_url(self.sqlalchemy_uri) + url = make_url_safe(self.sqlalchemy_uri) backend = url.get_backend_name() db_engine_spec = db_engine_specs.engines.get( backend, db_engine_specs.BaseEngineSpec diff --git a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py index 75f5293034ead..533f8a9fdcbe2 100644 --- a/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py +++ b/superset/migrations/versions/b8d3a24d9131_new_dataset_models.py @@ -31,7 +31,6 @@ import sqlalchemy as sa from alembic import op from sqlalchemy import and_, inspect, or_ -from sqlalchemy.engine.url import make_url from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.orm import backref, relationship, Session from sqlalchemy.schema import UniqueConstraint @@ -39,6 +38,7 @@ from superset import app, db from superset.connectors.sqla.models import ADDITIVE_METRIC_TYPES +from superset.databases.utils import make_url_safe from superset.extensions import encrypted_field_factory from superset.migrations.shared.utils import extract_table_references from superset.models.core import Database as OriginalDatabase @@ -323,7 +323,7 @@ def after_insert(target: SqlaTable) -> None: # pylint: disable=too-many-locals ) if not database: return - url = make_url(database.sqlalchemy_uri) + url = make_url_safe(database.sqlalchemy_uri) dialect_class = url.get_dialect() conditional_quote = dialect_class().identifier_preparer.quote