Re: [PR] fix(swagger): support URL prefix via APPLICATION_ROOT in OpenAPI and Swagger UI [superset]

Wed, 30 Jul 2025 10:56:28 -0700 


korbit-ai[bot] commented on code in PR #34407:
URL: https://github.com/apache/superset/pull/34407#discussion_r2243472140


##########
superset/openapi/manager.py:
##########
@@ -0,0 +1,96 @@
+from apispec import APISpec
+from apispec.ext.marshmallow import MarshmallowPlugin
+from apispec.ext.marshmallow.common import resolve_schema_cls
+from flask import current_app, request
+from flask_appbuilder.api import BaseApi
+from flask_appbuilder.api import expose, protect, safe
+from flask_appbuilder.basemanager import BaseManager
+from flask_appbuilder.baseviews import BaseView
+from flask_appbuilder.security.decorators import has_access
+
+
+def resolver(schema):
+    schema_cls = resolve_schema_cls(schema)
+    name = schema_cls.__name__
+    if name == "MetaSchema":
+        if hasattr(schema_cls, "Meta"):
+            return (
+                
f"{schema_cls.Meta.parent_schema_name}.{schema_cls.Meta.model.__name__}"
+            )
+    if name.endswith("Schema"):
+        return name[:-6] or name
+    return name
+
+
+class SupersetOpenApi(BaseApi):
+    route_base = "/api"
+    allow_browser_login = True
+
+    @expose("/<version>/_openapi")
+    @protect()
+    @safe
+    def get(self, version):
+        """Endpoint that renders an OpenApi spec for all views that belong
+            to a certain version
+        ---
+        get:
+          description: >-
+            Get the OpenAPI spec for a specific API version
+          parameters:
+          - in: path
+            schema:
+              type: string
+            name: version
+          responses:
+            200:
+              description: The OpenAPI spec
+              content:
+                application/json:
+                  schema:
+                    type: object
+            404:
+              $ref: '#/components/responses/404'
+            500:
+              $ref: '#/components/responses/500'
+        """
+        version_found = False
+        api_spec = self._create_api_spec(version)
+        for base_api in current_app.appbuilder.baseviews:
+            if isinstance(base_api, BaseApi) and base_api.version == version:
+                base_api.add_api_spec(api_spec)
+                version_found = True
+        if version_found:
+            return self.response(200, **api_spec.to_dict())
+        else:
+            return self.response_404()
+
+    @staticmethod
+    def _create_api_spec(version):
+        servers = current_app.config.get(
+            "FAB_OPENAPI_SERVERS", [{"url": 
request.host_url.rstrip("/")+current_app.config.get("APPLICATION_ROOT","/")}]
+        )

Review Comment:
   ### Unsafe Use of Host Header in Server URL Construction <sub>![category 
Security](https://img.shields.io/badge/Security-e11d48)</sub>
   
   <details>
     <summary>Tell me more</summary>
   
   ###### What is the issue?
   Using request.host_url directly from user request headers to construct 
server URLs could enable host header injection attacks.
   
   
   ###### Why this matters
   Malicious clients could manipulate the Host header to generate OpenAPI 
specifications with unexpected server URLs, potentially leading to misdirection 
of API clients.
   
   ###### Suggested change ∙ *Feature Preview*
   Use a configured base URL instead of request.host_url:
   ```python
   servers = current_app.config.get(
       "FAB_OPENAPI_SERVERS",
       [{"url": current_app.config["SERVER_URL"] + 
current_app.config.get("APPLICATION_ROOT","/")}]
   )
   ```
   
   
   ###### Provide feedback to improve future suggestions
   [![Nice 
Catch](https://img.shields.io/badge/👍%20Nice%20Catch-71BC78)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86/upvote)
 
[![Incorrect](https://img.shields.io/badge/👎%20Incorrect-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_not_true=true)
  [![Not in 
Scope](https://img.shields.io/badge/👎%20Out%20of%20PR%20scope-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_out_of_scope=true)
 [![Not in coding 
standard](https://img.shields.io/badge/👎%20Not%20in%20our%20standards-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_not_in_standard=true)
 
[![Other](https://img.shields.io/badge/👎%20Other-white)](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86)
   </details>
   
   <sub>
   
   💬 Looking for more details? Reply to this comment to chat with Korbit.
   </sub>
   
   <!--- korbi internal id:681abf09-3a88-47fa-8a0d-0656dc7b618b -->
   
   
   [](681abf09-3a88-47fa-8a0d-0656dc7b618b)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org

Reply via email to