Dashboard cannot be made public if it contains a text parameter

[raine]

Hey there,

Our use case:

In a kibana dashboard, we have dynamic links to a redash dashboard that contains a UUID as a parameter.

The UUID is used in WHERE clause of queries of the dashboard.

The idea is that you can jump from Kibana to a debugging dashboard in Redash.

Problem: The dashboard cannot be made public company-wide because it contains a text based parameter.

Our redash instance is behind google workspace login.

My current workaround is to invite team members manually to whom the dashboard is most relevant but in company of over hundred engineers this is not the best solution.

Potential solutions:

• Allow overriding this "security" protection somehow.
• Add a new UUID type for query parameters so that freeform text type would not have to be used. UUID would not allow sql injection which presumably is the threat here.

[gaecoli]

This is a security strategy to prevent external attacks.

[raine]

Yes, I understand. Any thoughts on suggestions provided?

[eradman]

The ability to share dashboards with text parameters from the Web UI is a much needed feature.

One solution might be to require a regex for the value of each text query parameter

parameter: volume
match: [-A-Za-z0-9]+
...

[gaecoli]

Is there any detailed information I'm interested in solving this problem.

[eradman]

I think the solution is to add one more input type, currently we have the following

        validators = {
            "text": lambda value: isinstance(value, str),
            "number": _is_number,
            "enum": lambda value: _is_value_within_options(value, enum_options, allow_multiple_values),
            "query": lambda value: _is_value_within_options(
                value,
                [v["value"] for v in dropdown_values(query_id, self.org)],
                allow_multiple_values,
            ),
            "date": _is_date,
            "datetime-local": _is_date,
            "datetime-with-seconds": _is_date,
            "date-range": _is_date_range,
            "datetime-range": _is_date_range,
            "datetime-range-with-seconds": _is_date_range,
        }

We could create a new type called text-pattern that validates input based on a regex. Only text is considered unsafe

    @property
    def is_safe(self):
        text_parameters = [param for param in self.schema if param["type"] == "text"]
        return not any(text_parameters)

[gaecoli]

Good idea. I try to implement it.

[eradman]

@ezraodio1 submitted a solution to this in #7025