fix(mcp): handle table chart raw mode in query builders and sanitize dashboard titles#38990
Conversation
…dashboard titles Three fixes: 1. ASCIIPreviewStrategy in get_chart_preview.py now checks for all_columns/query_mode:"raw" when building query context for table charts, preventing "Empty query?" errors on ASCII preview. 2. _build_query_columns() in preview_utils.py applies the same pattern so table chart compile checks also work correctly. 3. map_table_config() in chart_utils.py now includes "columns" alongside "all_columns" in raw mode form_data so downstream QueryContextFactory validation passes. 4. GenerateDashboardRequest in dashboard/schemas.py now sanitizes dashboard_title via field_validator to prevent XSS payloads from being stored in dashboard names.
Code Review Agent Run #9cfaf8Actionable Suggestions - 0Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
dosubot
bot
added
change:backend
codeant-ai-for-open-source
bot
added
the
size:S
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #38990 +/- ##
==========================================
- Coverage 64.42% 64.42% -0.01%
==========================================
Files 2536 2536
Lines 131103 131120 +17
Branches 30434 30437 +3
==========================================
+ Hits 84467 84471 +4
- Misses 45173 45186 +13
Partials 1463 1463
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![codeant-ai-for-open-source[bot]](https://avatars.githubusercontent.com/u/151810221?s=60&v=4){kind=small}
…anitizer 1. Raw-mode query building now falls back to "columns" when "all_columns" is absent, covering pre-existing saved charts that only populate one field. 2. Dashboard title sanitizer uses _strip_html_tags directly instead of sanitize_user_input, which would reject benign titles containing "data:" (e.g., "Sales data: Q1").
✅ Deploy Preview for superset-docs-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
The sanitizer was converting empty strings to None, which triggered auto-generated titles. Preserve the original empty string value.
Code Review Agent Run #ff81beActionable Suggestions - 0Additional Suggestions - 1
Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help AI Code Review powered by |
1 participant
SUMMARY
Four fixes for MCP service tools:
ASCII preview for table charts:
ASCIIPreviewStrategynow checks forall_columns/query_mode: "raw"when building query context, preventing "Empty query?" errors on table-type charts.Table chart compile check:
_build_query_columns()inpreview_utils.pyapplies the same raw-mode handling so table chart generation compile checks pass.Table chart form_data:
map_table_config()now includes"columns"alongside"all_columns"in raw mode so downstreamQueryContextFactoryvalidation passes.Dashboard title XSS:
GenerateDashboardRequestnow sanitizesdashboard_titlevia@field_validatorusingsanitize_user_input(), matching the existing pattern in chart schemas.BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A — backend-only changes.
TESTING INSTRUCTIONS
get_chart_previewwithformat: "ascii"on a table chart → should return data instead of "Empty query?" errorgenerate_chartwithchart_type: "table"and raw columns → should succeed without compile errorgenerate_dashboardwithdashboard_title: "<script>alert(1)</script>Test"→ title should be sanitized (script tags stripped)ADDITIONAL INFORMATION