codeant-ai-for-open-source[bot] commented on code in PR #36987:
URL: https://github.com/apache/superset/pull/36987#discussion_r2722387814
##########
superset/reports/api.py:
##########
@@ -460,6 +465,38 @@ def put(self, pk: int) -> Response:
)
return self.response_422(message=str(ex))
+ @expose("/<int:pk>/run_now", methods=("POST",))
+ @permission_name("post")
Review Comment:
**Suggestion:** Missing authentication protection: the new `run_now`
endpoint has `@permission_name("post")` and `@safe` but is missing the
`@protect()` decorator that enforces authentication/authorization at runtime.
Without `@protect()` this endpoint may be callable by unauthenticated users
even though a permission name is set. [security]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Unauthenticated users can trigger report executions.
- ⚠️ Increased resource usage from unauthorized executions.
- ⚠️ Potential information-leak via report outputs.
- ⚠️ Runs /api/v1/report/<pk>/run_now endpoint unprotected.
```
</details>
```suggestion
@protect()
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Open the API implementation at superset/reports/api.py and locate the
run_now endpoint
declared at the hunk starting line 468 (decorator at 468) and the function
definition at
line 471 (`def run_now(self, pk) -> Response:`). Observe there is no
@protect() decorator
wrapping this method.
2. Start Superset (with this PR applied) and send an unauthenticated HTTP
POST to the
route mapped by this class: POST /api/v1/report/1/run_now. This request is
routed to
ReportScheduleRestApi.run_now in superset/reports/api.py (function defined
at hunk line
471).
3. Because @protect() is not present, the request will reach the function
body (lines
~490-496 in the same hunk) and execute
AsyncExecuteReportScheduleCommand(execution_id, pk,
scheduled_dttm).run(), triggering report execution logic without
authentication.
4. Expected behavior (with @protect) is to require
authentication/authorization; current
code allows the action to proceed unauthenticated. If this is intentional,
document it;
otherwise add @protect() as in other endpoints (e.g., delete/post/put use
@protect()).
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/reports/api.py
**Line:** 469:469
**Comment:**
*Security: Missing authentication protection: the new `run_now`
endpoint has `@permission_name("post")` and `@safe` but is missing the
`@protect()` decorator that enforces authentication/authorization at runtime.
Without `@protect()` this endpoint may be callable by unauthenticated users
even though a permission name is set.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
