korbit-ai[bot] commented on code in PR #34407: URL: https://github.com/apache/superset/pull/34407#discussion_r2243472140
########## superset/openapi/manager.py: ########## @@ -0,0 +1,96 @@ +from apispec import APISpec +from apispec.ext.marshmallow import MarshmallowPlugin +from apispec.ext.marshmallow.common import resolve_schema_cls +from flask import current_app, request +from flask_appbuilder.api import BaseApi +from flask_appbuilder.api import expose, protect, safe +from flask_appbuilder.basemanager import BaseManager +from flask_appbuilder.baseviews import BaseView +from flask_appbuilder.security.decorators import has_access + + +def resolver(schema): + schema_cls = resolve_schema_cls(schema) + name = schema_cls.__name__ + if name == "MetaSchema": + if hasattr(schema_cls, "Meta"): + return ( + f"{schema_cls.Meta.parent_schema_name}.{schema_cls.Meta.model.__name__}" + ) + if name.endswith("Schema"): + return name[:-6] or name + return name + + +class SupersetOpenApi(BaseApi): + route_base = "/api" + allow_browser_login = True + + @expose("/<version>/_openapi") + @protect() + @safe + def get(self, version): + """Endpoint that renders an OpenApi spec for all views that belong + to a certain version + --- + get: + description: >- + Get the OpenAPI spec for a specific API version + parameters: + - in: path + schema: + type: string + name: version + responses: + 200: + description: The OpenAPI spec + content: + application/json: + schema: + type: object + 404: + $ref: '#/components/responses/404' + 500: + $ref: '#/components/responses/500' + """ + version_found = False + api_spec = self._create_api_spec(version) + for base_api in current_app.appbuilder.baseviews: + if isinstance(base_api, BaseApi) and base_api.version == version: + base_api.add_api_spec(api_spec) + version_found = True + if version_found: + return self.response(200, **api_spec.to_dict()) + else: + return self.response_404() + + @staticmethod + def _create_api_spec(version): + servers = current_app.config.get( + "FAB_OPENAPI_SERVERS", [{"url": request.host_url.rstrip("/")+current_app.config.get("APPLICATION_ROOT","/")}] + ) Review Comment: ### Unsafe Use of Host Header in Server URL Construction <sub></sub> <details> <summary>Tell me more</summary> ###### What is the issue? Using request.host_url directly from user request headers to construct server URLs could enable host header injection attacks. ###### Why this matters Malicious clients could manipulate the Host header to generate OpenAPI specifications with unexpected server URLs, potentially leading to misdirection of API clients. ###### Suggested change ∙ *Feature Preview* Use a configured base URL instead of request.host_url: ```python servers = current_app.config.get( "FAB_OPENAPI_SERVERS", [{"url": current_app.config["SERVER_URL"] + current_app.config.get("APPLICATION_ROOT","/")}] ) ``` ###### Provide feedback to improve future suggestions [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86/upvote) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_not_true=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_out_of_scope=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86?what_not_in_standard=true) [](https://app.korbit.ai/feedback/aa91ff46-6083-4491-9416-b83dd1994b51/97eb3477-5a08-4225-afe3-ccdfb2eccc86) </details> <sub> 💬 Looking for more details? Reply to this comment to chat with Korbit. </sub> <!--- korbi internal id:681abf09-3a88-47fa-8a0d-0656dc7b618b --> [](681abf09-3a88-47fa-8a0d-0656dc7b618b) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org