Re: [PR] feat(clickhouse): allow dynamic schema [superset]

Tue, 11 Mar 2025 19:41:40 -0700 


korbit-ai[bot] commented on code in PR #32610:
URL: https://github.com/apache/superset/pull/32610#discussion_r1990446396


##########
superset/db_engine_specs/clickhouse.py:
##########
@@ -414,3 +417,15 @@ def _mutate_label(label: str) -> str:
         :return: Conditionally mutated label
         """
         return f"{label}_{md5_sha_from_str(label)[:6]}"
+    
+    @classmethod
+    def adjust_engine_params(
+        cls,
+        uri: URL,
+        connect_args: dict[str, Any],
+        catalog: str | None = None,
+        schema: str | None = None,
+    ) -> tuple[URL, dict[str, Any]]:
+        if schema:
+            uri = uri.set(database=parse.quote(schema, safe=""))

Review Comment:
   ### Unvalidated schema name in database connection <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   The schema parameter is directly used in a database connection URI with only 
URL encoding but no input validation.
   
   ###### Why this matters
   Without proper validation, malicious schema names could potentially be used 
for SQL injection or path traversal attacks depending on how ClickHouse handles 
database names.
   
   ###### Suggested change ∙ *Feature Preview*
   Add input validation before using the schema parameter:
   ```python
   def is_valid_schema_name(schema: str) -> bool:
       return bool(re.match('^[a-zA-Z0-9_-]+$', schema))
   
   @classmethod
   def adjust_engine_params(cls, uri: URL, connect_args: dict[str, Any], 
       catalog: str | None = None, schema: str | None = None,
   ) -> tuple[URL, dict[str, Any]]:
       if schema:
           if not is_valid_schema_name(schema):
               raise ValueError('Invalid schema name')
           uri = uri.set(database=parse.quote(schema, safe=''))
       return uri, connect_args
   ```
   
   
   </details>
   
   <sub>
   
   [![Report a problem with this 
comment](https://img.shields.io/badge/Report%20a%20problem%20with%20this%20comment-gray.svg?logo=data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyNCIgaGVpZ2h0PSIyNCIgdmlld0JveD0iMCAwIDI0IDI0IiBmaWxsPSJub25lIiBzdHJva2U9IiNmNWVjMDAiIHN0cm9rZS13aWR0aD0iMiIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIiBzdHJva2UtbGluZWpvaW49InJvdW5kIiBjbGFzcz0ibHVjaWRlIGx1Y2lkZS10cmlhbmdsZS1hbGVydCI+PHBhdGggZD0ibTIxLjczIDE4LTgtMTRhMiAyIDAgMCAwLTMuNDggMGwtOCAxNEEyIDIgMCAwIDAgNCAyMWgxNmEyIDIgMCAwIDAgMS43My0zIi8+PHBhdGggZD0iTTEyIDl2NCIvPjxwYXRoIGQ9Ik0xMiAxN2guMDEiLz48L3N2Zz4=)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/69aaba6a-4288-436b-84d2-cf4278b2594e?suggestedFixEnabled=true)
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:e11ea8ee-b1b6-4c6c-bed4-a6986f247be7 -->
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to