Re: [PR] fix(list roles): dont send invalid querystrings [superset]

Wed, 09 Apr 2025 07:33:18 -0700 


korbit-ai[bot] commented on code in PR #33060:
URL: https://github.com/apache/superset/pull/33060#discussion_r2035513217


##########
superset-frontend/src/pages/RolesList/index.tsx:
##########
@@ -163,7 +163,7 @@ function RolesList({ addDangerToast, addSuccessToast, user 
}: RolesListProps) {
 
       const fetchPage = async (pageIndex: number) => {
         const response = await SupersetClient.get({
-          endpoint: 
`api/v1/security/users/?q={"page_size":${pageSize},"page":${pageIndex}}`,
+          endpoint: 
`api/v1/security/users/?q=(page_size:${pageSize},page:${pageIndex})`,
         });
         return response.json;
       };

Review Comment:
   ### Unsafe URL Parameter Interpolation <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   Direct string interpolation of user-controlled variables (pageSize and 
pageIndex) into the API endpoint URL without validation or sanitization.
   
   ###### Why this matters
   This could allow malicious users to inject arbitrary characters into the 
URL, potentially leading to path traversal or API manipulation attacks.
   
   ###### Suggested change ∙ *Feature Preview*
   ```typescript
   const fetchPage = async (pageIndex: number) => {
     // Validate inputs are safe positive integers
     if (!Number.isInteger(pageSize) || !Number.isInteger(pageIndex) || 
pageSize < 1 || pageIndex < 0) {
       throw new Error('Invalid pagination parameters');
     }
     const response = await SupersetClient.get({
       endpoint: 
`api/v1/security/users/?q=(page_size:${pageSize},page:${pageIndex})`,
     });
     return response.json;
   };
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/948ebf55-819a-4e57-a34c-887a56d09a99/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/948ebf55-819a-4e57-a34c-887a56d09a99?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/948ebf55-819a-4e57-a34c-887a56d09a99?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/948ebf55-819a-4e57-a34c-887a56d09a99?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/948ebf55-819a-4e57-a34c-887a56d09a99)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:7c54b5be-a9e1-4e8a-9ccc-ade21282099d -->
   
   
   [](7c54b5be-a9e1-4e8a-9ccc-ade21282099d)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to