From 08ed138c6cdfe9adcb296539ac53bd129679a700 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Tue, 2 Jul 2024 15:32:27 +0100 Subject: [PATCH 1/2] fix: add more disallowed pg functions --- superset/config.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/superset/config.py b/superset/config.py index e4dc202537acc..715f0d1c293d4 100644 --- a/superset/config.py +++ b/superset/config.py @@ -1274,7 +1274,15 @@ def CSV_TO_HIVE_UPLOAD_DIRECTORY_FUNC( # pylint: disable=invalid-name # unsafe SQL functions in SQL Lab and Charts. The keys of the dictionary are the engine # names, and the values are sets of disallowed functions. DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = { - "postgresql": {"version", "query_to_xml", "inet_server_addr", "inet_client_addr"}, + "postgresql": { + "version", + "query_to_xml", + "inet_server_addr", + "inet_client_addr", + "query_to_xml_and_xmlschema", + "table_to_xml", + "table_to_xml_and_xmlschema", + }, "clickhouse": {"url"}, "mysql": {"version"}, } From 490c8dcd98f86057d9120fca11107538596abc13 Mon Sep 17 00:00:00 2001 From: Daniel Gaspar Date: Fri, 5 Jul 2024 13:21:14 +0100 Subject: [PATCH 2/2] exclude database_to_xml --- superset/config.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/superset/config.py b/superset/config.py index 715f0d1c293d4..c82e002695b15 100644 --- a/superset/config.py +++ b/superset/config.py @@ -1275,13 +1275,14 @@ def CSV_TO_HIVE_UPLOAD_DIRECTORY_FUNC( # pylint: disable=invalid-name # names, and the values are sets of disallowed functions. DISALLOWED_SQL_FUNCTIONS: dict[str, set[str]] = { "postgresql": { - "version", - "query_to_xml", - "inet_server_addr", + "database_to_xml", "inet_client_addr", + "inet_server_addr", + "query_to_xml", "query_to_xml_and_xmlschema", "table_to_xml", "table_to_xml_and_xmlschema", + "version", }, "clickhouse": {"url"}, "mysql": {"version"},