chore(backend): replace insecure shortid usage for native filter mi…

…gration with native `uuid` Python implementation (#32235) Signed-off-by: hainenber <[email protected]>
apache · Feb 12, 2025 · 21348c4 · 21348c4
1 parent af3589f
commit 21348c4
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 11 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -87,7 +87,6 @@ dependencies = [
     "redis>=4.6.0, <5.0",
     "selenium>=4.14.0, <5.0",
     "shillelagh[gsheetsapi]>=1.2.18, <2.0",
-    "shortid",
     "sshtunnel>=0.4.0, <0.5",
     "simplejson>=3.15.0",
     "slack_sdk>=3.19.0, <4",

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -329,8 +329,6 @@ selenium==4.27.1
     # via apache-superset (pyproject.toml)
 shillelagh==1.2.18
     # via apache-superset (pyproject.toml)
-shortid==0.1.2
-    # via apache-superset (pyproject.toml)
 simplejson==3.19.3
     # via apache-superset (pyproject.toml)
 six==1.16.0

diff --git a/requirements/development.txt b/requirements/development.txt
@@ -738,10 +738,6 @@ shillelagh==1.2.18
     # via
     #   -c requirements/base.txt
     #   apache-superset
-shortid==0.1.2
-    # via
-    #   -c requirements/base.txt
-    #   apache-superset
 simplejson==3.19.3
     # via
     #   -c requirements/base.txt

diff --git a/superset/migrations/shared/native_filters.py b/superset/migrations/shared/native_filters.py
@@ -18,11 +18,10 @@
 from textwrap import dedent
 from typing import Any
 
-from shortid import ShortId
-
 from superset.models.dashboard import Dashboard
 from superset.models.slice import Slice
 from superset.utils import json
+from superset.utils.core import shortid
 from superset.utils.dashboard_filter_scopes_converter import convert_filter_scopes
 
 
@@ -49,7 +48,6 @@ def convert_filter_scopes_to_native_filters(  # pylint: disable=invalid-name,too
     :see: convert_filter_scopes
     """
 
-    shortid = ShortId()
     default_filters = json.loads(json_metadata.get("default_filters") or "{}")
     filter_scopes = json_metadata.get("filter_scopes", {})
     filter_box_ids = {filter_box.id for filter_box in filter_boxes}
@@ -76,16 +74,27 @@ def convert_filter_scopes_to_native_filters(  # pylint: disable=invalid-name,too
         }
 
     # Construct the native filters.
+    unique_short_ids = set()
     for filter_box in filter_boxes:
         key = str(filter_box.id)
         params = json.loads(filter_box.params or "{}")
 
         for field, filter_scope in filter_scope_by_key_and_field[key].items():
             default = default_filters.get(key, {}).get(field)
+            short_id = f"{shortid()}"[:9]
+
+            # Ensure uniqueness due to UUIDv4 truncation increasing
+            # collision chance to infinitesimally small amount.
+            while True:
+                if short_id not in unique_short_ids:
+                    unique_short_ids.add(short_id)
+                    break
+                else:
+                    short_id = f"{shortid()}"[:9]
 
             fltr: dict[str, Any] = {
                 "cascadeParentIds": [],
-                "id": f"NATIVE_FILTER-{shortid.generate()}",
+                "id": f"NATIVE_FILTER-{short_id}",
                 "scope": {
                     "rootPath": filter_scope["scope"],
                     "excluded": [