codeant-ai-for-open-source[bot] commented on code in PR #38847:
URL: https://github.com/apache/superset/pull/38847#discussion_r3016222469
##########
superset/reports/schemas.py:
##########
@@ -305,6 +305,20 @@ def validate_report_references( # pylint:
disable=unused-argument
)
+class ReportScheduleSubscribeSchema(ReportSchedulePostSchema):
+ """Schema for creating a chart/dashboard subscription.
+
+ ``recipients`` and ``creation_method`` are excluded — both are set
+ server-side: recipients are locked to the authenticated user's email,
+ and creation_method is derived from the presence of ``chart`` or
+ ``dashboard`` in the payload.
+ """
+
+ class Meta:
Review Comment:
**Suggestion:** The subscribe schema still accepts all report types from the
generic post schema, so a caller can submit `type="Alert"` and create alert
schedules through the weaker `subscribe` permission path. Restrict this schema
to only allow `Report` type so the new endpoint cannot be used to create alert
configs. [security]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Subscribe endpoint can create alerts via unrestricted type field.
- ⚠️ Bypasses intended separation between subscribe and write permissions.
- ⚠️ Inconsistent with docs: endpoint claims report-only subscriptions.
```
</details>
```suggestion
type = fields.String(
metadata={"description": type_description},
allow_none=False,
required=True,
validate=validate.OneOf(choices=(ReportScheduleType.REPORT.value,)),
)
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Start Superset with this PR code and ensure the ReportSchedule REST API
is registered
(ReportScheduleRestApi in `superset/reports/api.py:67-85` with
`resource_name =
"report"`).
2. Issue an HTTP `POST` to `/api/v1/report/subscribe` which is handled by
`ReportScheduleRestApi.subscribe` (`superset/reports/api.py:318-379`) with a
JSON body
containing `"type": "Alert"` plus valid `name`, `crontab`, `database`, and
either `chart`
or `dashboard` IDs, for example:
`{"type": "Alert", "name": "Escalated alert", "crontab": "* * * * *",
"database":
<valid_db_id>, "chart": <valid_chart_id>}`.
3. The request body is deserialized using `ReportScheduleSubscribeSchema`
(`superset/reports/schemas.py:308-319`), which subclasses
`ReportSchedulePostSchema`
without redefining `type`, so the inherited `type` field
(`ReportSchedulePostSchema.type`
in the same file) accepts any `ReportScheduleType` value, including `ALERT`,
and therefore
the payload with `"type": "Alert"` passes schema validation.
4. Inside `subscribe`, the code sets `creation_method` based solely on the
presence of
`dashboard` or `chart` (`superset/reports/api.py:366-371`), then calls
`CreateReportScheduleCommand(item).run()`
(`superset/commands/report/create.py:49-57`),
whose `validate` method (`superset/commands/report/create.py:87-141`)
permits `report_type
== ReportScheduleType.ALERT` as long as `database` is present, resulting in
a persisted
`ReportSchedule` of type `ALERT` being created via the `/subscribe` endpoint
under the
`subscribe` permission (`@permission_name("subscribe"` at
`superset/reports/api.py:321`),
despite the endpoint's docstring advertising "chart or dashboard report"
subscriptions
only.
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/reports/schemas.py
**Line:** 317:317
**Comment:**
*Security: The subscribe schema still accepts all report types from the
generic post schema, so a caller can submit `type="Alert"` and create alert
schedules through the weaker `subscribe` permission path. Restrict this schema
to only allow `Report` type so the new endpoint cannot be used to create alert
configs.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38847&comment_hash=1fdfe3df3ebc296c9ec06909eb4f04d7e97a4dea191044e6f566059ccaf48e8d&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F38847&comment_hash=1fdfe3df3ebc296c9ec06909eb4f04d7e97a4dea191044e6f566059ccaf48e8d&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
