atulajoshi24 commented on PR #22942: URL: https://github.com/apache/superset/pull/22942#issuecomment-1661752915
Hi @betodealmeida @dpgaspar @villebro @frafra . I think the fix provided here is not appropriate. There is already a CVE added for SSRF issue in apache superset as - https://nvd.nist.gov/vuln/detail/CVE-2023-25504 . The fix provided here accepts any URL for import dataset as the value for DATASET_IMPORT_ALLOWED_DATA_URLS = [r".*"] making it vulnerable to SSRF attacks . Please throw some light on above fix and whether this issue would be fixed in any future release -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
