apache · mistercrunch · May 18, 2017 · May 18, 2017 · ascott · May 18, 2017
diff --git a/superset/connectors/sqla/models.py b/superset/connectors/sqla/models.py
@@ -11,8 +11,7 @@
 )
 import sqlalchemy as sa
 from sqlalchemy import asc, and_, desc, select
-from sqlalchemy.ext.compiler import compiles
-from sqlalchemy.sql.expression import ColumnClause, TextAsFrom
+from sqlalchemy.sql.expression import TextAsFrom
 from sqlalchemy.orm import backref, relationship
 from sqlalchemy.sql import table, literal_column, text, column
 

diff --git a/superset/db_engine_specs.py b/superset/db_engine_specs.py
@@ -312,7 +312,7 @@ def get_table_names(cls, schema, inspector):
 
 class MySQLEngineSpec(BaseEngineSpec):
  engine = 'mysql'
- cursor_execute_kwargs = {'args': {}}
+ cursor_execute_kwargs = {'args': None}
  time_grains = (
  Grain('Time Column', _('Time Column'), '{col}'),
  Grain("second", _('second'), "DATE_ADD(DATE({col}), "

diff --git a/superset/jinja_context.py b/superset/jinja_context.py
@@ -97,6 +97,8 @@ def process_template(self, sql, **kwargs):
  >>> process_template(sql)
  "SELECT '2017-01-01T00:00:00'"
  """
+ # Escaping colon
+ sql = sql.replace(':', '\:')
  template = self.env.from_string(sql)
  kwargs.update(self.context)
  return template.render(kwargs)

diff --git a/tests/core_tests.py b/tests/core_tests.py
@@ -25,6 +25,8 @@
 
 class CoreTests(SupersetTestCase):
 
+ """A set of core tests for Superset"""
+
  requires_examples = True
 
  def __init__(self, *args, **kwargs):
@@ -83,7 +85,23 @@ def test_slice_json_endpoint(self):
 
  json_endpoint = (
  '/superset/explore_json/{}/{}?form_data={}'
- .format(slc.datasource_type, slc.datasource_id, json.dumps(slc.viz.form_data))
+ .format(
+ slc.datasource_type,
+ slc.datasource_id,
+ json.dumps(slc.viz.form_data))
+ )
+ resp = self.get_resp(json_endpoint)
+ assert '"Jennifer"' in resp
+
+ def test_json_endpoint_escaping(self):
+ self.login(username='admin')
+ slc = self.get_slice("Girls", db.session)
+ fd = slc.viz.form_data
+ fd['where'] = "name NOT LIKE '%:super%'"
+
+ json_endpoint = (
+ '/superset/explore_json/{}/{}?form_data={}'
+ .format(slc.datasource_type, slc.datasource_id, json.dumps(fd))
  )
  resp = self.get_resp(json_endpoint)
  assert '"Jennifer"' in resp
@@ -141,8 +159,7 @@ def test_save_slice(self):
 
  form_data = {
  'viz_type': 'sankey',
- 'groupby': 'source',
- 'groupby': 'target',
+ 'groupby': ['source', 'target'],
  'metric': 'sum__value',
  'row_limit': 5000,
  'slice_id': slice_id,
@@ -163,8 +180,7 @@ def test_save_slice(self):
 
  form_data = {
  'viz_type': 'sankey',
- 'groupby': 'source',
- 'groupby': 'target',
+ 'groupby': ['source', 'target'],
  'metric': 'sum__value',
  'row_limit': 5000,
  'slice_id': new_slice_id,

diff --git a/tests/sqllab_tests.py b/tests/sqllab_tests.py
@@ -52,6 +52,13 @@ def test_sql_json(self):
  data = self.run_sql('SELECT * FROM unexistant_table', "2")
  self.assertLess(0, len(data['error']))
 
+ def test_sql_json_escaping(self):
+ self.login('admin')
+
+ data = self.run_sql(
+ "SELECT username FROM ab_user WHERE username like '%:test%'", "3")
+ self.assertEquals(0, len(data['data']))
+
  def test_sql_json_has_access(self):
  main_db = self.get_main_database(db.session)
  sm.add_permission_view_menu('database_access', main_db.perm)