Skip to content

fix(datasets): respect application root in database management link #36986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rusackas merged 1 commit into from
Jan 23, 2026
Merged

fix(datasets): respect application root in database management link #36986

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion superset-frontend/src/features/datasets/AddDataset/LeftPanel/index.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import {
} from 'src/features/datasets/AddDataset/types';
import { Table } from 'src/hooks/apiResources';
import { Typography } from '@superset-ui/core/components/Typography';
import { ensureAppRoot } from 'src/utils/pathUtils';

interface LeftPanelProps {
setDataset: Dispatch<SetStateAction<object>>;
Expand Down Expand Up @@ -191,7 +192,7 @@ export default function LeftPanel({
description={
<span>
{t('Manage your databases')}{' '}
<Typography.Link href="/databaseview/list">
<Typography.Link href={ensureAppRoot('/databaseview/list')}>
Copy link
Contributor

@codeant-ai-for-open-source codeant-ai-for-open-source bot Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: A malicious or misconfigured ensureAppRoot could return a non-relative or unsafe URL (for example a javascript: or external URL). Constrain the value to a safe internal path (e.g. ensure it starts with '/') and fallback if not, to prevent link injection/XSS-like issues. [security]

Severity Level: Critical 🚨

Suggested change
<Typography.Link href={ensureAppRoot('/databaseview/list')}>
<Typography.Link href={((): string => { const p = ensureAppRoot('/databaseview/list'); return p && p.startsWith('/') ? encodeURI(p) : '/databaseview/list'; })()}>
Why it matters? ⭐

Valid security concern: untrusted or misconfigured ensureAppRoot could return an external or unsafe URL (javascript: scheme etc). The proposed guard (verify it starts with '/' and fallback) prevents link injection and is a reasonable defensive measure. It's a legitimate fix when the origin of ensureAppRoot's value isn't strictly controlled.

Prompt for AI Agent 🤖 
This is a comment left during a code review.

**Path:** superset-frontend/src/features/datasets/AddDataset/LeftPanel/index.tsx
**Line:** 195:195
**Comment:**
	*Security: A malicious or misconfigured `ensureAppRoot` could return a non-relative or unsafe URL (for example a javascript: or external URL). Constrain the value to a safe internal path (e.g. ensure it starts with '/') and fallback if not, to prevent link injection/XSS-like issues.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

Copy link
Contributor Author

@geier geier Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have checked, and a lot of other existing links in the project use the very same pattern as above, not the much more complicated (but more secure) version you suggested. Can you check what the convention in the existing code base is?

{t('here')}
</Typography.Link>
</span>
Expand Down
Loading