No input validations there on UI

[chakilamsuryat]

Screenshot

Description

There is no input validation present for Dashboard, Chart, Annotation Layers, row-level-security, and for user info details

Design input

In the module specific {charts, dashboards, annotation_layers, row_level_security, etc} schemas.py files, can add input validation like:- validate=[validate.And(Length(1, 250),validate.Regexp(regex='^[a-zA-Z0-9_]+$',error='Special Characters are not Allowed!'))] for the fields for which it is needed like name, description because if no validation is there then any attack is possible like they can give some scripts to be in name/description which might cause a vulnerability. For Userinfo input validations for first_name and last_name can create new view in our superset/security/manager.py and can add like:- [userinfoeditview = NewUserInfoEditView] in SuperSetSecurityManager.

[chakilamsuryat]

I have made these all changes as we have some security vulnerability issues raised and we are currently running updated code from our end. Can raise Pull request for the same as part of contribution if issue looks valid.

[rusackas]

A limit on length sounds reasonable, but I'm not sure what it really ought to be... perhaps that should be configurable.

Similarly, for disallowing characters in names/titles, if there is an XSS vulnerability or something, I'm onboard, but otherwise I think special characters should be fine. I might want a chart of "Top 1% of songs written in D# minor, by $ earned"

Of course, again I'm fine with imposing a list of "banned" characters, so long as that's part of the config.

A PR would be welcome. Meanwhile, I'll convert this to an Ideas discussion, since I don't think it's a bug report. CC @dpgaspar as well since this might border on security.

[chakilamsuryat]

Yes there would be security vulnerabilities as part of this that we can any script also as name or description.