Re: [PR] fix(query_context_processor): apply CSV encoding to follow the encoding settings of 'CSV_EXPORT' [superset]

Thu, 21 Aug 2025 20:06:30 -0700 


korbit-ai[bot] commented on code in PR #34806:
URL: https://github.com/apache/superset/pull/34806#discussion_r2292588053


##########
superset/common/query_context_processor.py:
##########
@@ -1001,6 +1001,7 @@ def get_data(
                 result = csv.df_to_escaped_csv(
                     df, index=include_index, **current_app.config["CSV_EXPORT"]
                 )
+                result = 
result.encode(current_app.config["CSV_EXPORT"].get("encoding", "utf-8"))

Review Comment:
   ### Unvalidated encoding configuration for CSV export <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   The code uses a configuration value for encoding CSV data without 
validation, which could potentially lead to security issues if the 
configuration is tampered with.
   
   
   ###### Why this matters
   If an attacker can manipulate the CSV_EXPORT configuration to specify a 
malicious encoding, it could result in data corruption or potential code 
execution vulnerabilities when the CSV is later processed by other systems.
   
   ###### Suggested change ∙ *Feature Preview*
   ```python
   # Add encoding validation
   valid_encodings = {'utf-8', 'ascii', 'iso-8859-1'} # Define allowed encodings
   encoding = current_app.config["CSV_EXPORT"].get("encoding", "utf-8")
   if encoding not in valid_encodings:
       encoding = "utf-8"  # Default to utf-8 if invalid
   result = result.encode(encoding)
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5f1e64c3-ffc8-4aa5-b506-796baf05901a/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5f1e64c3-ffc8-4aa5-b506-796baf05901a?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5f1e64c3-ffc8-4aa5-b506-796baf05901a?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5f1e64c3-ffc8-4aa5-b506-796baf05901a?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/5f1e64c3-ffc8-4aa5-b506-796baf05901a)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:896233d5-3d7c-4ec5-ae27-c0689beaa53b -->
   
   
   [](896233d5-3d7c-4ec5-ae27-c0689beaa53b)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to