You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by "drsm79 (via GitHub)" <gi...@apache.org> on 2023/04/26 21:50:53 UTC
[GitHub] [superset] drsm79 opened a new pull request, #23834: fix(config): Be less permissive of secret keys
drsm79 opened a new pull request, #23834:
URL: https://github.com/apache/superset/pull/23834
<!---
Please write the PR title following the conventions at https://www.conventionalcommits.org/en/v1.0.0/
Example:
fix(dashboard): load charts correctly
-->
### SUMMARY
<!--- Describe the change below, including rationale and design decisions -->
https://www.bleepingcomputer.com/news/security/thousands-of-apache-superset-servers-exposed-to-rce-attacks/ lists a number of common SECRET_KEYS from documentation. The current check only looks for one of these.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
<!--- Skip this if not applicable -->
### TESTING INSTRUCTIONS
<!--- Required! What steps can be taken to manually verify the changes? -->
### ADDITIONAL INFORMATION
<!--- Check any relevant boxes with "x" -->
<!--- HINT: Include "Fixes #nnn" if you are fixing an existing issue -->
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [PR] fix(config): Be less permissive of secret keys [superset]
Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.
dpgaspar commented on PR #23834:
URL: https://github.com/apache/superset/pull/23834#issuecomment-1960953861
Closing this one, feel free to reopen if you want to follow a different approach
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] drsm79 commented on a diff in pull request #23834: fix(config): Be less permissive of secret keys
Posted by "drsm79 (via GitHub)" <gi...@apache.org>.
drsm79 commented on code in PR #23834:
URL: https://github.com/apache/superset/pull/23834#discussion_r1183841676
##########
superset/initialization/__init__.py:
##########
@@ -476,13 +476,13 @@ def log_default_secret_key_warning() -> None:
)
logger.warning(bottom_banner)
- if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
+ if "secret" in self.config["SECRET_KEY"].lower():
Review Comment:
no, it's checking if secret appears anywhere in the string:
```
>>> k1 = 'secretthings'
>>> k2 = 'top_secret'
>>> k3 = 'a_very_SECRET_thing'
>>> for i in k1, k2, k3:
... 'secret' in i.lower()
...
True
True
True
```
the four "compromised" creds all contain that word.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] drsm79 commented on a diff in pull request #23834: fix(config): Be less permissive of secret keys
Posted by "drsm79 (via GitHub)" <gi...@apache.org>.
drsm79 commented on code in PR #23834:
URL: https://github.com/apache/superset/pull/23834#discussion_r1183841676
##########
superset/initialization/__init__.py:
##########
@@ -476,13 +476,13 @@ def log_default_secret_key_warning() -> None:
)
logger.warning(bottom_banner)
- if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
+ if "secret" in self.config["SECRET_KEY"].lower():
Review Comment:
no, it's checking if secret appears anywhere in the string:
```
>>> k1 = 'secretthings'
>>> k2 = 'top_secret'
>>> k3 = 'a_very_SECRET_thing'
>>> for i in k1, k2, k3:
... 'secret' in i.lower()
...
True
True
True
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] dpgaspar commented on a diff in pull request #23834: fix(config): Be less permissive of secret keys
Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.
dpgaspar commented on code in PR #23834:
URL: https://github.com/apache/superset/pull/23834#discussion_r1183702471
##########
superset/initialization/__init__.py:
##########
@@ -476,13 +476,13 @@ def log_default_secret_key_warning() -> None:
)
logger.warning(bottom_banner)
- if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
+ if "secret" in self.config["SECRET_KEY"].lower():
Review Comment:
this is just checking for a SECRET_KET set to "secret"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
Re: [PR] fix(config): Be less permissive of secret keys [superset]
Posted by "dpgaspar (via GitHub)" <gi...@apache.org>.
dpgaspar closed pull request #23834: fix(config): Be less permissive of secret keys
URL: https://github.com/apache/superset/pull/23834
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org