Fix Copilot review: wrap user filter in parens to prevent OData or-precedence bypass, update test docstring

tpellissier · claude · tpellissier · commit ce5094dd8609 · 2026-02-23T11:51:43.000-08:00
- Wrap user-provided filter in parentheses when combining with IsPrivate guard
  to prevent `or` operator from bypassing the privacy check
- Update TestListTables class docstring to mention both filter and select params
- Update test assertions to match new parenthesized filter format

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/PowerPlatform/Dataverse/data/_odata.py b/src/PowerPlatform/Dataverse/data/_odata.py
@@ -1452,7 +1452,7 @@ def _list_tables(
         url = f"{self.api}/EntityDefinitions"
         base_filter = "IsPrivate eq false"
         if filter:
-            combined_filter = f"{base_filter} and {filter}"
+            combined_filter = f"{base_filter} and ({filter})"
         else:
             combined_filter = base_filter
         params: Dict[str, str] = {"$filter": combined_filter}
diff --git a/tests/unit/data/test_odata_internal.py b/tests/unit/data/test_odata_internal.py
@@ -126,7 +126,7 @@ def test_non_string_key_raises_type_error(self):
 
 
 class TestListTables(unittest.TestCase):
-    """Unit tests for _ODataClient._list_tables filter parameter."""
+    """Unit tests for _ODataClient._list_tables filter and select parameters."""
 
     def setUp(self):
         self.od = _make_odata_client()
@@ -157,7 +157,7 @@ def test_filter_combined_with_default(self):
         params = call_kwargs.kwargs.get("params") or call_kwargs[1].get("params", {})
         self.assertEqual(
             params["$filter"],
-            "IsPrivate eq false and SchemaName eq 'Account'",
+            "IsPrivate eq false and (SchemaName eq 'Account')",
         )
 
     def test_filter_none_same_as_no_filter(self):
@@ -229,7 +229,7 @@ def test_select_with_filter(self):
         params = call_kwargs.kwargs.get("params") or call_kwargs[1].get("params", {})
         self.assertEqual(
             params["$filter"],
-            "IsPrivate eq false and SchemaName eq 'Account'",
+            "IsPrivate eq false and (SchemaName eq 'Account')",
         )
         self.assertEqual(params["$select"], "LogicalName,SchemaName")
 
