korbit-ai[bot] commented on code in PR #31998:
URL: https://github.com/apache/superset/pull/31998#discussion_r1930664290
##########
superset-frontend/plugins/plugin-chart-handlebars/src/components/Handlebars/HandlebarsViewer.tsx:
##########
@@ -99,5 +99,18 @@ Handlebars.registerHelper(
},
);
+// usage: {{parseJson jsonString}}
+Handlebars.registerHelper('parseJson', (jsonString: string) => {
+ try {
+ return JSON.parse(jsonString);
+ } catch (error) {
+ if (error instanceof Error) {
+ error.message = `Invalid JSON string: ${error.message}`;
+ throw error;
+ }
+ throw new Error(`Invalid JSON string: ${String(error)}`);
+ }
+});
Review Comment:
### Unsafe JSON parsing without input validation <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
The parseJson helper accepts untrusted input and parses it as JSON without
validation, which could lead to prototype pollution or injection attacks if
malicious JSON is provided.
###### Why this matters
JSON.parse() can be exploited through carefully crafted payloads to modify
JavaScript object prototypes or inject malicious content. This is especially
risky in a template system where the output may be rendered to users.
###### Suggested change ∙ *Feature Preview*
```typescript
Handlebars.registerHelper('parseJson', (jsonString: string) => {
if (typeof jsonString !== 'string') {
throw new Error('Input must be a string');
}
// Consider adding a JSON schema validation here if structure is known
try {
const parsed = JSON.parse(jsonString);
// Optional: recursively freeze the object to prevent modifications
return Object.freeze(parsed);
} catch (error) {
if (error instanceof Error) {
error.message = `Invalid JSON string: ${error.message}`;
throw error;
}
throw new Error(`Invalid JSON string: ${String(error)}`);
}
});
```
</details>
<sub>💡 Does this comment miss the mark? [Tell us
why](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/dae8661f-fdf3-4d81-ab80-f64d3b8d2440?suggestedFixEnabled=true)
and Korbit will adapt to your team’s feedback.
💬 Chat with Korbit by mentioning @korbit-ai.
</sub>
<!--- korbi internal id:d34eab38-d953-48f7-a450-194165d93b2f -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
