Apache Superset Code Flaw: User Input to Python Typecast Opens Door to NaN Injection, Undefined Behavior

A static analysis scan has flagged a medium-severity vulnerability in Apache Superset's codebase, where unsanitized user input flows directly into Python's `bool()`, `float()`, or `complex()` typecast functions. This specific path allows a potential attacker to inject Python's special 'not-a-number' (NaN) value into the system. The core risk is undefined program behavior, which becomes particularly dangerous and unpredictable during comparison operations, potentially leading to logic errors, incorrect data processing, or application instability.

The vulnerability, classified under CWE-704 (Incorrect Type Conversion or Cast), was identified by the Semgrep SAST scanner in the `superset/utils/core.py` file. The flaw stems from a lack of input validation before the type conversion. An attacker could submit the string 'nan' (in various capitalizations) as input, which Python's float constructor interprets as the special floating-point NaN value. Once inside the system as a NaN, its non-intuitive behavior—such as the fact that `NaN == NaN` evaluates to False—can break fundamental application logic that relies on comparisons.

For the Apache Superset project, an open-source business intelligence and data visualization platform, such a flaw in a core utility module raises significant security and reliability concerns. Undefined behavior in data processing pipelines could corrupt dashboard metrics, skew analytical results, or cause unexpected application crashes. The recommended mitigation is straightforward: either implement a pre-cast guard to check for and reject all capitalization variants of 'nan', or route the user input through a more robust and sanitized conversion path. The presence of this issue highlights the ongoing challenge of securing data ingestion points in complex data applications.