Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DO NOT MERGE: test 4.1 release #29693

Closed
wants to merge 1,074 commits into from
Closed

DO NOT MERGE: test 4.1 release #29693

wants to merge 1,074 commits into from

Conversation

eschutho
Copy link
Member

SUMMARY

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

dependabot bot and others added 30 commits July 1, 2024 10:03
@dependabot
chore(deps): bump rehype-raw from 6.1.1 to 7.0.0 in /superset-frontend (
5aac1b5 
#29433)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps-dev): bump eslint-import-resolver-typescript from 2.5.0 to…
7727b9d 
… 3.6.1 in /superset-frontend (#29435)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps-dev): bump ts-jest from 29.1.2 to 29.1.5 in /superset-webs…
0cf676b 
…ocket (#29423)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@villebro
chore(key-value): convert command to dao (#29344)
7d6e933
@saghatelian
chore: Added 10Web to the list of organizations that use Apache Super…
0286650 
…set (#29442)
@mistercrunch
chore: move all GHAs to ubuntu-22.04 (#29447)
446a3b2
@dependabot
chore(deps): bump react-markdown from 8.0.3 to 8.0.7 in /superset-fro…
839ca82 
…ntend (#29439)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): bump @algolia/client-search from 4.23.3 to 4.24.0 in /do…
1e73820 
…cs (#29428)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps-dev): bump webpack from 5.91.0 to 5.92.1 in /docs (#29429)
cf031bb 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): bump actions/checkout from 2 to 4 (#29434)
7a0ae36 
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @rusackas
chore(deps-dev): update @types/lodash requirement from ^4.17.4 to ^4.…
3449b8f 
…17.6 in /superset-frontend/plugins/plugin-chart-handlebars (#29425)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Evan Rusackas <[email protected]>
@dependabot
chore(deps): bump deck.gl from 9.0.12 to 9.0.20 in /superset-frontend…
7bb7fc0 
…/plugins/legacy-preset-chart-deckgl (#29426)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@villebro
fix(metastore-cache): import dao in methods (#29451)
7f3c8ef
@sadpandajoe
fix: re-add missing code from PR #28132 (#29446)
fb1f2c4
@betodealmeida
fix: OAuth2 in async DBs (#29461)
d5c0506
@michael-s-molina
fix: Dashboard hangs when initial filters cannot be loaded (#29456)
35da6ac
@mknadh
feat(CLI command): Apache Superset "Factory Reset" CLI command #27207 (
6b73b69 
…#27221)
@easontm
docs(docker compose): fix step 4 list formatting (#29468)
5231e86
@goldjee
chore(i18n): Translated charts and filters into Russian (#29377)
48f6fe6
@mistercrunch
chore: run babel_update.sh to update po files (#29476)
145694d
@Vitor-Avila
chore(utils): Support select_columns with getUserOwnedObjects and spl…
4e861cf 
…it recentActivityObjs (#29459)
@soumitra-st
fix: Enable explore button on SQL Lab view when connected to Apache P…
6d2b3b8 
…inot as a database (#28364)
@Vitor-Avila
chore(Home): Avoid firing API requests when a custom Home is used (#2…
0f60701 
…9493)
@eulloa10 @geido
feat(dashboard): add API endpoints for generating and downloading scr…
d896481 
…eenshots (#29187)

Co-authored-by: Diego Pucci <[email protected]>
@geido
refactor: Upgrade Card to Ant Design 5 (#29389)
e768796
@dpgaspar
fix: remove info from datasource access error (#29470)
2418342
@dpgaspar
fix: add more disallowed pg functions (#29454)
0e00282
@c-w
feat: Enable customizing the docker admin password (#29498)
ee72d6c
@dacopan
feat: add support to NOT LIKE operator (#29384)
9724c99
@CodeWithEmad
docs: cleanup markdown warnings (#29511)
1682994
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 22, 2024
View reviewed changes
superset-frontend/src/features/home/Menu.tsx
<img src={brand.icon} alt={brand.alt} />
</GenericLink>
) : (
<a className="navbar-brand" href={brand.path}>
<a className="navbar-brand" href={brand.path} tabIndex={-1}>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to ensure that the brand.path value is properly sanitized before being used in the href attribute. This can be achieved by using a library like DOMPurify to sanitize the URL. This will prevent any malicious content from being executed as part of the URL.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the Menu.tsx file.
  3. Sanitize the brand.path value before using it in the href attribute.
Suggested changeset 2
superset-frontend/src/features/home/Menu.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/superset-frontend/src/features/home/Menu.tsx b/superset-frontend/src/features/home/Menu.tsx
--- a/superset-frontend/src/features/home/Menu.tsx
+++ b/superset-frontend/src/features/home/Menu.tsx
@@ -19,2 +19,3 @@
 import { useState, useEffect } from 'react';
+import DOMPurify from 'dompurify';
 import { styled, css, useTheme, SupersetTheme } from '@superset-ui/core';
@@ -318,3 +319,3 @@
             ) : (
-              <a className="navbar-brand" href={brand.path} tabIndex={-1}>
+              <a className="navbar-brand" href={DOMPurify.sanitize(brand.path)} tabIndex={-1}>
                 <img src={brand.icon} alt={brand.alt} />
EOF
@@ -19,2 +19,3 @@
import { useState, useEffect } from 'react';
import DOMPurify from 'dompurify';
import { styled, css, useTheme, SupersetTheme } from '@superset-ui/core';
@@ -318,3 +319,3 @@
) : (
<a className="navbar-brand" href={brand.path} tabIndex={-1}>
<a className="navbar-brand" href={DOMPurify.sanitize(brand.path)} tabIndex={-1}>
<img src={brand.icon} alt={brand.alt} />
superset-frontend/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/superset-frontend/package.json b/superset-frontend/package.json
--- a/superset-frontend/package.json
+++ b/superset-frontend/package.json
@@ -207,3 +207,4 @@
     "use-query-params": "^1.1.9",
-    "yargs": "^17.7.2"
+    "yargs": "^17.7.2",
+    "dompurify": "^3.2.1"
   },
EOF
@@ -207,3 +207,4 @@
"use-query-params": "^1.1.9",
"yargs": "^17.7.2"
"yargs": "^17.7.2",
"dompurify": "^3.2.1"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
geido and others added 9 commits November 22, 2024 11:23
@geido @sadpandajoe
fix(Dashboard): Native & Cross-Filters Scoping Performance (#30881)
cebd457 
(cherry picked from commit f4c36a6)
@rusackas @sadpandajoe
fix(release validation): scripts now support RSA and EDDSA keys. (#30967
f20a8de 
)

(cherry picked from commit 4f899dd)
@geido @sadpandajoe
fix(Dashboard): Ensure shared label colors are updated (#31031)
71d4bf7 
(cherry picked from commit 91301bc)
@michael-s-molina @sadpandajoe
fix: Revert "feat(trino): Add functionality to upload data (#29164)" (#…
b31595a 
…31151)

(cherry picked from commit ff28249)
@michael-s-molina @sadpandajoe
fix: Remove unwanted commit on Trino's handle_cursor (#31154)
caaf5bf 
(cherry picked from commit 547a4ad)
@betodealmeida @sadpandajoe
fix: check orderby (#31156)
e151dda 
(cherry picked from commit 7f2e752)
@geido @sadpandajoe
fix(Dashboard): Backward compatible shared_label_colors field (#31163)
15740f8 
(cherry picked from commit f077323)
@michael-s-molina @sadpandajoe
fix: Time-series Line Chart Display unnecessary total (#31181)
43fe5ca 
(cherry picked from commit dbcb473)
@DamianPendrak @sadpandajoe
fix: x axis title disappears when editing bar chart (#30821)
fd7f1d3 
(cherry picked from commit 97dde8c)
@sadpandajoe sadpandajoe force-pushed the 4.1 branch 4 times, most recently from fa52c3a to 5b99354 Compare December 4, 2024 23:15
@eschutho eschutho closed this Dec 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@villebro villebro Awaiting requested review from villebro villebro is a code owner

@rusackas rusackas Awaiting requested review from rusackas rusackas is a code owner

@michael-s-molina michael-s-molina Awaiting requested review from michael-s-molina michael-s-molina is a code owner

@geido geido Awaiting requested review from geido geido is a code owner

@betodealmeida betodealmeida Awaiting requested review from betodealmeida betodealmeida is a code owner

@nytai nytai Awaiting requested review from nytai nytai is a code owner

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

@craig-rueda craig-rueda Awaiting requested review from craig-rueda craig-rueda is a code owner

@john-bodley john-bodley Awaiting requested review from john-bodley john-bodley is a code owner

@kgabryje kgabryje Awaiting requested review from kgabryje kgabryje is a code owner

@dpgaspar dpgaspar Awaiting requested review from dpgaspar dpgaspar is a code owner

@jinghua-qa jinghua-qa Awaiting requested review from jinghua-qa jinghua-qa is a code owner

Assignees
No one assigned
Labels
api Related to the REST API dependencies:npm dependencies:python doc Namespace | Anything related to documentation embedded github_actions Pull requests that update GitHub Actions code i18n:brazilian i18n:chinese Translation related to Chinese language i18n:dutch i18n:french Translation related to French language i18n:italian Translation related to Italian language i18n:japanese Translation related to Japanese language i18n:korean Translation related to Korean language i18n:portuguese i18n:russian Translation related to Russian language i18n:slovak i18n:spanish Translation related to Spanish language i18n:ukrainian i18n Namespace | Anything related to localization packages plugins review:draft risk:db-migration PRs that require a DB migration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.