AKuzyashin commented on issue #22960:
URL: https://github.com/apache/superset/issues/22960#issuecomment-2720254227
Hello Apache Superset team,
I would like to highlight a potential remaining attack vector involving the
extras.where parameter.
It appears that passing unsanitized user input directly into extras.where or
extras.having (using /api/v1/chart/data ) could allow:
SQL Injection: If the input is interpolated into raw SQL without
parameterization.
SSTI (Server-Side Template Injection): If the input is processed via Jinja2
templates without proper sandboxing/validation.
Example Scenario:
A malicious actor could craft a WHERE clause like:
`1=1; DELETE FROM your_table; -- `
Or leverage Jinja2 directives (if templates are enabled):
`{{ 4*'foo' }}`
Let me know if further details or a PoC would be helpful.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
