sha174n opened a new issue, #38908: URL: https://github.com/apache/superset/issues/38908
## Summary `SqlExecutionResultsCommand.validate()` does not call `raise_for_access()` before returning SQL Lab query results, making it inconsistent with its sibling commands `SqlResultExportCommand` and `SqlStreamingExportCommand`, which both perform this check. ## Details - **File:** `superset/commands/sql_lab/results.py` - **Class:** `SqlExecutionResultsCommand` - **Missing call:** `raise_for_access()` in `validate()` - **CWE:** CWE-862 (Missing Authorization) - **Sibling commands with check:** `SqlResultExportCommand`, `SqlStreamingExportCommand` ## Exploitability / Threat Model Practical exploitability is **very limited**: - Results are keyed by a UUID4 \`results_key\` (122 bits of entropy) — not enumerable by brute force. - An attacker would need to obtain a valid \`results_key\` through another means (e.g., log access, XSS, insider) before this path could be reached. - This is a **theoretical** authorization gap, not a directly exploitable vulnerability under a normal threat model. ## Classification - **Severity:** Low (hardening) - **CVE:** Not warranted — no CVE will be requested - **MITRE:** CWE-862 (Missing Authorization) — defense-in-depth inconsistency ## Proposed Fix Add `raise_for_access()` in `SqlExecutionResultsCommand.validate()` consistent with `SqlResultExportCommand` and `SqlStreamingExportCommand`. ## Reporter Credit Reported by Dave Mound (Shinobi Security) via the Apache Superset PSIRT. Disclosed to [email protected] on 2026-03-04. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
