fix(sql): detect set operations and nested selects in subquery check by sha174n · Pull Request #38452 · apache/superset

sha174n · 2026-03-05T20:26:58Z

SUMMARY

SQLStatement.has_subquery() is the gate validate_adhoc_subquery() uses to reject sub-queries in adhoc SQL and in chart extras filter clauses. It previously flagged an exp.Subquery, or a nested SELECT only when the top-level node was itself a SELECT. A top-level set operation (UNION/INTERSECT/EXCEPT) is neither, so it was not flagged, and a nested SELECT under a different top-level node (for example a parenthesised expression) was missed.

This makes has_subquery() also return True for top-level set operations (reusing the existing is_set_operation()) and for a nested SELECT under any top-level node, so adhoc SQL and extras filter clauses are checked consistently.

TESTING INSTRUCTIONS

pytest tests/unit_tests/sql/parse_tests.py -k has_subquery

New parser cases cover UNION/INTERSECT/EXCEPT and parenthesis-nested SELECTs. Existing cases (including quoted identifiers with spaces) continue to pass, so legitimate column expressions are not misclassified.

ADDITIONAL INFORMATION

🤖 Generated with Claude Code

codecov · 2026-03-05T20:42:28Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.30%. Comparing base (74845ea) to head (7463313).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #38452      +/-   ##
==========================================
- Coverage   64.30%   64.30%   -0.01%     
==========================================
  Files        2657     2657              
  Lines      144060   144060              
  Branches    33216    33216              
==========================================
- Hits        92641    92636       -5     
- Misses      49797    49800       +3     
- Partials     1622     1624       +2

Flag	Coverage Δ
hive	`39.44% <0.00%> (ø)`
mysql	`58.19% <100.00%> (ø)`
postgres	`58.25% <100.00%> (-0.01%)`	⬇️
presto	`41.03% <0.00%> (ø)`
python	`59.73% <100.00%> (-0.01%)`	⬇️
sqlite	`57.87% <100.00%> (ø)`
unit	`100.00% <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot

Pull request overview

This PR aims to fix subquery detection in SQL parsing, specifically to ensure that subqueries within RLS filter clauses (raw SQL predicates) are correctly detected even when sqlglot's scope traversal returns empty results for non-SELECT root expressions. The changes refactor has_subquery() to use a recursive AST walk and add a new validate_rls_clause() helper, along with new regression tests.

Changes:

has_subquery() in SQLStatement is refactored to use exp.Expression.walk() instead of relying solely on exp.Subquery detection, with additional matching for exp.Union, exp.Except, exp.Intersect, exp.Update, exp.Delete, exp.Insert, and exp.Merge.
A new validate_rls_clause() function is added to superset/models/helpers.py, and module-level imports of superset.sql.parse symbols are replaced with local function-scoped imports.
New test cases are added for extract_tables_from_sql with raw SQL expressions (predicates containing subqueries).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
`superset/sql/parse.py`	Refactors `has_subquery()` to use recursive walk for broader subquery detection
`superset/models/helpers.py`	Adds `validate_rls_clause()` (uncalled), restructures imports to be function-local
`tests/unit_tests/sql/parse_tests.py`	Adds `test_extract_tables_raw_expression` tests for raw SQL predicate table extraction

bito-code-review · 2026-03-13T23:56:22Z

Code Review Agent Run #62a291

Actionable Suggestions - 0

Review Details

Files reviewed - 11 · Commit Range: 431188d..4cb3e92
- superset/commands/security/create.py
- superset/commands/security/update.py
- superset/connectors/sqla/models.py
- superset/models/helpers.py
- superset/sql/parse.py
- tests/integration_tests/security/row_level_security_tests.py
- tests/unit_tests/commands/security/rls_validation_test.py
- tests/unit_tests/connectors/sqla/rls_processing_test.py
- tests/unit_tests/models/test_double_rls_virtual_dataset.py
- tests/unit_tests/security/guest_rls_test.py
- tests/unit_tests/sql/parse_tests.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-03-14T18:40:26Z

Code Review Agent Run #8587b2

Actionable Suggestions - 0

Review Details

Files reviewed - 3 · Commit Range: 4cb3e92..7539c61
- superset/sql/parse.py
- tests/integration_tests/security/row_level_security_tests.py
- tests/unit_tests/sql/parse_tests.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-03-15T18:50:29Z

Code Review Agent Run #dad4ef

Actionable Suggestions - 0

Review Details

Files reviewed - 13 · Commit Range: c1458f7..97edc97
- superset/commands/security/create.py
- superset/commands/security/update.py
- superset/connectors/sqla/models.py
- superset/models/helpers.py
- superset/sql/parse.py
- superset/sql_lab.py
- tests/integration_tests/security/row_level_security_tests.py
- tests/unit_tests/commands/security/rls_validation_test.py
- tests/unit_tests/connectors/sqla/rls_processing_test.py
- tests/unit_tests/models/test_double_rls_virtual_dataset.py
- tests/unit_tests/security/guest_rls_test.py
- tests/unit_tests/sql/parse_tests.py
- tests/unit_tests/sql_lab_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-03-20T23:02:40Z

Code Review Agent Run #c3d774

Actionable Suggestions - 0

Review Details

Files reviewed - 4 · Commit Range: 97edc97..2092617
- superset/models/helpers.py
- superset/sql/parse.py
- superset/common/query_object.py
- tests/unit_tests/sql/parse_tests.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

dpgaspar

This is looking great.

Final comments:

MERGE not covered in DML table extraction - extract_tables_from_statement adds explicit handling for exp.Update, exp.Delete, and exp.Insert but not exp.Merge. A MERGE INTO protected_table USING ...
would have an empty table set and bypass the DML blocking check. The is_mutating() method correctly detects MERGE, but statement.tables would be empty so get_predicates_for_table would never be called
for it.
exp.Copy not in is_mutating command check - The PR adds MERGE, UPSERT, REPLACE, COPY, TRUNCATE to the exp.Command name check, but COPY can also parse as exp.Copy (a dedicated AST node), which isn't
in the mutating_nodes tuple.
test_rls_allows_mutation_on_unprotected_table is a false-positive test - It catches all non-SupersetSecurityException exceptions and passes, meaning it would pass even if the code crashes before
reaching the RLS check. This test doesn't actually verify the unprotected path works correctly.
_process_rls_clause could return empty parens - If _process_select_expression returns an empty string (which is falsy), the if not processed check would fall through to the template_processor path.
But if it returns None (as mocked in tests), the fallback works. Worth verifying the actual return values.

bito-code-review · 2026-03-25T13:32:52Z

Code Review Agent Run #a340c3

Actionable Suggestions - 0

Review Details

Files reviewed - 14 · Commit Range: 121df34..10bfd92
- superset/commands/security/create.py
- superset/commands/security/update.py
- superset/common/query_object.py
- superset/connectors/sqla/models.py
- superset/models/helpers.py
- superset/sql/parse.py
- superset/sql_lab.py
- tests/integration_tests/security/row_level_security_tests.py
- tests/unit_tests/commands/security/rls_validation_test.py
- tests/unit_tests/connectors/sqla/rls_processing_test.py
- tests/unit_tests/models/test_double_rls_virtual_dataset.py
- tests/unit_tests/security/guest_rls_test.py
- tests/unit_tests/sql/parse_tests.py
- tests/unit_tests/sql_lab_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-03-25T17:06:58Z

Code Review Agent Run #6493e5

Actionable Suggestions - 0

Filtered by Review Rules

Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.

superset/models/helpers.py - 1
- Ineffective DoS Protection · Line 151-153

Review Details

Files reviewed - 14 · Commit Range: 2dbee66..2dbee66
- superset/commands/security/create.py
- superset/commands/security/update.py
- superset/common/query_object.py
- superset/connectors/sqla/models.py
- superset/models/helpers.py
- superset/sql/parse.py
- superset/sql_lab.py
- tests/integration_tests/security/row_level_security_tests.py
- tests/unit_tests/commands/security/rls_validation_test.py
- tests/unit_tests/connectors/sqla/rls_processing_test.py
- tests/unit_tests/models/test_double_rls_virtual_dataset.py
- tests/unit_tests/security/guest_rls_test.py
- tests/unit_tests/sql/parse_tests.py
- tests/unit_tests/sql_lab_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-03-25T20:22:52Z

Code Review Agent Run #8c3b83

Actionable Suggestions - 0

Review Details

Files reviewed - 1 · Commit Range: 2dbee66..7dd96b0
- tests/unit_tests/commands/security/rls_validation_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

sha174n · 2026-03-25T20:28:20Z

This is looking great.

Final comments:

MERGE not covered in DML table extraction - extract_tables_from_statement adds explicit handling for exp.Update, exp.Delete, and exp.Insert but not exp.Merge. A MERGE INTO protected_table USING ...
would have an empty table set and bypass the DML blocking check. The is_mutating() method correctly detects MERGE, but statement.tables would be empty so get_predicates_for_table would never be called
for it.

exp.Copy not in is_mutating command check - The PR adds MERGE, UPSERT, REPLACE, COPY, TRUNCATE to the exp.Command name check, but COPY can also parse as exp.Copy (a dedicated AST node), which isn't
in the mutating_nodes tuple.

test_rls_allows_mutation_on_unprotected_table is a false-positive test - It catches all non-SupersetSecurityException exceptions and passes, meaning it would pass even if the code crashes before
reaching the RLS check. This test doesn't actually verify the unprotected path works correctly.

_process_rls_clause could return empty parens - If _process_select_expression returns an empty string (which is falsy), the if not processed check would fall through to the template_processor path.
But if it returns None (as mocked in tests), the fallback works. Worth verifying the actual return values.

Thanks for the detailed review!

extract_tables_from_statement handles exp.Merge explicitly at parse.py:1496 — the target table is added to sources alongside the traversed ones.
exp.Copy is in mutating_nodes at parse.py:712, so it's caught by the AST walk in addition to the command name check.
Valid catch — also strengthened test_validate_adhoc_subquery_preserves_jinja_on_non_predicate in the latest commit with return_value=True and assert_called_once().
Could you point to the specific location you have in mind for _process_rls_clause? We couldn't trace the pattern you described in validate_adhoc_subquery or the RLS utilities.

bito-code-review · 2026-04-12T21:14:20Z

Code Review Agent Run #0e6a49

Actionable Suggestions - 0

Additional Suggestions - 1

superset/connectors/sqla/models.py - 1
- Logic Condition Change · Line 798-798
  
  The change from 'if not processed:' to 'if processed is None:' narrows the condition for template processing fallback. Since _process_select_expression can return an empty string (e.g., for whitespace expressions), this may prevent necessary template processing in edge cases, potentially altering RLS clause behavior.
  Code suggestion
  @@ -798,1 +798,1 @@ - if processed is None: + if not processed:

Review Details

Files reviewed - 2 · Commit Range: 7dd96b0..c3285ce
- superset/connectors/sqla/models.py
- tests/unit_tests/sql/parse_tests.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-04-14T22:06:17Z

Code Review Agent Run #016f42

Actionable Suggestions - 0

Review Details

Files reviewed - 1 · Commit Range: c3285ce..b1a36f4
- superset/connectors/sqla/models.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-04-26T21:53:00Z

Code Review Agent Run #91ba4a

Actionable Suggestions - 0

Review Details

Files reviewed - 1 · Commit Range: b1a36f4..2de58f1
- superset/models/helpers.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-05-03T21:27:50Z

Code Review Agent Run #fefba7

Actionable Suggestions - 0

Review Details

Files reviewed - 3 · Commit Range: 2de58f1..e29b36e
- superset/models/helpers.py
- tests/unit_tests/models/core_test.py
- tests/unit_tests/sql_lab_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review

Code Review Agent Run #406d33

Actionable Suggestions - 1

superset/connectors/sqla/models.py - 1
- Logic Error in Fallback Condition · Line 821-824

Additional Suggestions - 1

superset/sql/parse.py - 1
- CWE-710: Improper Coding Standards · Line 950-950
  
  Adding # pragma: no cover to this security-critical line masks a potential testing gap in subquery detection logic used for preventing RLS bypass in untrusted adhoc SQL. This path should be covered by tests to verify correct behavior. ([CWE-710](https://cwe.mitre.org/data/definitions/710.html))
  Code suggestion
  --- superset/sql/parse.py @@ -949,1 +949,1 @@ - return True # pragma: no cover + return True

Review Details

Files reviewed - 3 · Commit Range: e29b36e..6fb7ee4
- superset/sql/parse.py
- tests/unit_tests/sql/parse_tests.py
- superset/connectors/sqla/models.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-05-23T12:17:39Z

Code Review Agent Run #67f806

Actionable Suggestions - 0

Review Details

Files reviewed - 2 · Commit Range: 6fb7ee4..780bec7
- superset/connectors/sqla/models.py
- tests/unit_tests/models/test_double_rls_virtual_dataset.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

bito-code-review · 2026-05-24T16:07:10Z

Code Review Agent Run #2b21d4

Actionable Suggestions - 0

Review Details

Files reviewed - 1 · Commit Range: 780bec7..7cf3f5e
- tests/unit_tests/sql_lab_test.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

rusackas

The predicate-validation core looks solid — name='x', 1=1, IN, casts, function calls, OR, SIMILAR TO, and Jinja clauses all pass unchanged, and set-ops/multi-statement/subquery-without-flag are correctly blocked. Two intended-but-impactful behavior changes worth confirming don't regress prod: (1) get_from_clause now fails closed (raises) when RLS can't be applied to a virtual dataset's SQL, instead of best-effort log-and-continue — a virtual dataset with dialect-specific SQL sqlglot can't round-trip will now hard-fail; (2) DML on RLS-protected tables is blocked under RLS_IN_SQLLAB. Both are the right direction — just verify no legitimate virtual datasets regress.

has_subquery() flagged exp.Subquery and nested SELECTs only when the top-level node was itself a SELECT, so a top-level set operation (UNION/INTERSECT/EXCEPT) matched neither branch. It now also flags top-level set operations (reusing the existing is_set_operation()) and nested SELECTs under any top-level node, such as a parenthesised expression. This keeps validate_adhoc_subquery() consistent for adhoc SQL and chart extras filter clauses. Adds parser cases for UNION/INTERSECT/EXCEPT and parenthesis-nested SELECTs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

bito-code-review · 2026-06-12T01:03:49Z

Code Review Agent Run #2f8ed2

Actionable Suggestions - 0

Review Details

Files reviewed - 2 · Commit Range: 9d4b656..7463313
- superset/sql/parse.py
- tests/unit_tests/sql/parse_tests.py
Files skipped - 0
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
- MyPy (Static Code Analysis) - ✔︎ Successful
- Astral Ruff (Static Code Analysis) - ✔︎ Successful

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

/review - Manually triggers a full AI review.
/pause - Pauses automatic reviews on this pull request.
/resume - Resumes automatic reviews.
/resolve - Marks all Bito-posted review comments as resolved.
/abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by

pull-request-size Bot added the size/L label Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch from 2f27633 to 9c335ba Compare March 5, 2026 20:37

sha174n force-pushed the fix/robust-rls-fix branch from 9c335ba to 37472a1 Compare March 5, 2026 21:00

pull-request-size Bot added size/XL and removed size/L labels Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch from 319fae3 to 4d1c717 Compare March 5, 2026 21:18

pull-request-size Bot added size/M and removed size/XL labels Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch from 4d1c717 to 8dce70d Compare March 5, 2026 21:27

eschutho requested review from betodealmeida and Copilot March 5, 2026 21:37

Copilot started reviewing on behalf of eschutho March 5, 2026 21:38 View session

Copilot AI reviewed Mar 5, 2026

View reviewed changes

sha174n force-pushed the fix/robust-rls-fix branch from 8dce70d to 319fae3 Compare March 5, 2026 22:01

pull-request-size Bot added size/XL and removed size/M labels Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch from 319fae3 to fb3b628 Compare March 5, 2026 22:10

pull-request-size Bot added size/M and removed size/XL labels Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch 2 times, most recently from 330819e to 4222d37 Compare March 5, 2026 22:31

pull-request-size Bot added size/L and removed size/M labels Mar 5, 2026

sha174n force-pushed the fix/robust-rls-fix branch 5 times, most recently from 64b4ea7 to 728ee29 Compare March 5, 2026 23:12

pull-request-size Bot removed the size/L label Mar 5, 2026

codeant-ai-for-open-source Bot added size:XL This PR changes 500-999 lines, ignoring generated files and removed size:L This PR changes 100-499 lines, ignoring generated files size:XL This PR changes 500-999 lines, ignoring generated files labels Mar 14, 2026

codeant-ai-for-open-source Bot reviewed Mar 14, 2026

View reviewed changes

Comment thread superset/sql/parse.py Outdated

Comment thread tests/integration_tests/security/row_level_security_tests.py Outdated

pull-request-size Bot removed the size/XL label Mar 15, 2026

codeant-ai-for-open-source Bot reviewed Mar 15, 2026

View reviewed changes

Comment thread superset/sql/parse.py Outdated

Comment thread superset/sql/parse.py Outdated

Comment thread tests/unit_tests/sql_lab_test.py Outdated

codeant-ai-for-open-source Bot reviewed Mar 20, 2026

View reviewed changes

Comment thread superset/sql/parse.py Outdated

Comment thread superset/sql/parse.py Outdated

codeant-ai-for-open-source Bot reviewed Mar 23, 2026

View reviewed changes

Comment thread superset/sql/parse.py Outdated

Comment thread superset/sql/parse.py Outdated

dpgaspar reviewed Mar 24, 2026

View reviewed changes

codeant-ai-for-open-source Bot reviewed Mar 25, 2026

View reviewed changes

Comment thread tests/unit_tests/commands/security/rls_validation_test.py Outdated

bito-code-review Bot reviewed May 6, 2026

View reviewed changes

Comment thread superset/connectors/sqla/models.py Outdated

rusackas reviewed Jun 3, 2026

View reviewed changes

sha174n and others added 2 commits June 11, 2026 22:57

refactor: use find_all idiom for nested select detection

7463313

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Conversation

sha174n commented Mar 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

SUMMARY

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

Uh oh!

codecov Bot commented Mar 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bito-code-review Bot commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #62a291

Uh oh!

Uh oh!

Uh oh!

bito-code-review Bot commented Mar 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #8587b2

Uh oh!

Uh oh!

Uh oh!

Uh oh!

bito-code-review Bot commented Mar 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #dad4ef

Uh oh!

Uh oh!

Uh oh!

bito-code-review Bot commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #c3d774

Uh oh!

Uh oh!

Uh oh!

dpgaspar left a comment

Choose a reason for hiding this comment

Uh oh!

bito-code-review Bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #a340c3

Uh oh!

bito-code-review Bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #6493e5

Uh oh!

Uh oh!

bito-code-review Bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #8c3b83

Uh oh!

sha174n commented Mar 25, 2026

Uh oh!

bito-code-review Bot commented Apr 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #0e6a49

Uh oh!

bito-code-review Bot commented Apr 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #016f42

Uh oh!

bito-code-review Bot commented Apr 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #91ba4a

Uh oh!

bito-code-review Bot commented May 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Code Review Agent Run #fefba7

sha174n commented Mar 5, 2026 •

edited

Loading

codecov Bot commented Mar 5, 2026 •

edited

Loading

bito-code-review Bot commented Mar 13, 2026 •

edited

Loading

bito-code-review Bot commented Mar 14, 2026 •

edited

Loading

bito-code-review Bot commented Mar 15, 2026 •

edited

Loading

bito-code-review Bot commented Mar 20, 2026 •

edited

Loading

bito-code-review Bot commented Mar 25, 2026 •

edited

Loading

bito-code-review Bot commented Mar 25, 2026 •

edited

Loading

bito-code-review Bot commented Mar 25, 2026 •

edited

Loading

bito-code-review Bot commented Apr 12, 2026 •

edited

Loading

bito-code-review Bot commented Apr 14, 2026 •

edited

Loading

bito-code-review Bot commented Apr 26, 2026 •

edited

Loading

bito-code-review Bot commented May 3, 2026 •

edited

Loading

bito-code-review Bot left a comment •

edited

Loading

bito-code-review Bot commented May 23, 2026 •

edited

Loading

bito-code-review Bot commented May 24, 2026 •

edited

Loading

bito-code-review Bot commented Jun 12, 2026 •

edited

Loading