sha174n opened a new pull request, #38777: URL: https://github.com/apache/superset/pull/38777
### SUMMARY Strengthens the security documentation for `ENABLE_TEMPLATE_PROCESSING` and `url_param()` in response to SSTI reports (SUPERSETSEC-88, SUPERSETSEC-90). The existing warning correctly stated that template injection is "intended functionality" for trusted users, but understated the blast radius. This PR makes the risk explicit: - Clarifies that the threat is **RCE**, not just data exposure - Explains that the Jinja sandbox is **not enabled** by default (standard Python class traversal is available to template authors) - Documents the `url_param()` injection risk: values are injected without escaping, so URL-controlled input can break out of SQL string literals - Adds a concrete safe-usage pattern for `url_param()` (allowlist approach) - Adds a tip reinforcing that the flag defaults to `False` and should only be enabled for fully trusted users No code changes. Assessment: `ENABLE_TEMPLATE_PROCESSING=True` is working as designed; the documentation needed to match the actual risk level. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — documentation only. ### TESTING INSTRUCTIONS 1. Build the docs site and navigate to the SQL Templating page 2. Verify the Security Warning block now includes the RCE mention, url_param() injection warning, and the allowlist example 3. Verify the `url_param()` section has the new inline warning with the safe-usage pattern ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
