orbisai0security commented on PR #39646: URL: https://github.com/apache/superset/pull/39646#issuecomment-4436073974
Thanks, I agree the current patch is too blunt for enterprise OAuth2 setups where the token endpoint may legitimately be internal. I’ll rework this as configurable hardening rather than an unconditional block. The revised approach will add a small OAuth2 token URI validation hook/config option, with documentation explaining that deployments allowing non-admin users to configure database OAuth2 clients can use it to restrict token endpoints to approved hosts or block private/link-local/loopback ranges. I’ll also avoid claiming this as a universal HIGH severity issue. The risk depends on who can set `oauth2_client_info` / database OAuth2 settings, so I’ll reframe this as defence-in-depth for user-configurable database OAuth2 endpoints. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
