codeant-ai-for-open-source[bot] commented on code in PR #40098:
URL: https://github.com/apache/superset/pull/40098#discussion_r3277274551
##########
superset/mcp_service/server.py:
##########
@@ -403,38 +400,23 @@ def _summary_serializer(tools: Sequence[Any]) ->
list[dict[str, Any]]:
def _tool_allowed_for_current_user(tool: Any) -> bool:
"""Return whether the current Flask user can see this tool in search
results."""
try:
- from flask import current_app, g
-
- if not current_app.config.get("MCP_RBAC_ENABLED", True):
- return True
+ from flask import g
- from superset import security_manager
from superset.mcp_service.auth import (
- CLASS_PERMISSION_ATTR,
get_user_from_request,
- METHOD_PERMISSION_ATTR,
- PERMISSION_PREFIX,
+ is_tool_visible_to_current_user,
)
- tool_func = getattr(tool, "fn", None)
- if tool_requires_data_model_metadata_access(tool_func) and not (
- user_can_view_data_model_metadata()
- ):
- return False
-
- class_permission_name = getattr(tool_func, CLASS_PERMISSION_ATTR, None)
- if not class_permission_name:
- return True
-
if not getattr(g, "user", None):
try:
g.user = get_user_from_request()
- except ValueError:
- return False
+ except (ValueError, PermissionError):
+ # Can't resolve user; only hide protected tools. Public tools
+ # (no _class_permission_name) pass through regardless.
+ func = getattr(tool, "fn", tool)
+ return not getattr(func, "_class_permission_name", None)
Review Comment:
**Suggestion:** Invalid credentials are currently handled as a partial
fail-open path in tool-search filtering: `PermissionError` (e.g., bad/expired
API key) falls into the same branch as missing-auth and still allows tools
without class permissions to be visible. That breaks the fail-closed behavior
implemented in `tools/list` and leaks discoverability to callers with rejected
credentials. Handle `PermissionError` as deny-all in this path (return
`False`), and reserve the public-tool fallback only for the explicit no-auth
case. [security]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ search_tools exposes public tools to invalid API keys.
- ⚠️ tools/list and search_tools diverge on credential failures.
- ⚠️ Unauthorized callers can enumerate MCP tool names via search.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Enable MCP tool search transform so `_create_search_transform()` wraps
FastMCP search
with `_filter_tools_by_current_user_permission()` (see
`superset/mcp_service/server.py:143-183`, where
`_FixedBM25SearchTransform._get_visible_tools()` and
`_FixedRegexSearchTransform._get_visible_tools()` call
`_filter_tools_by_current_user_permission(tools)` at lines 161 and 177).
2. Connect an MCP client using an invalid or expired API key in the
`Authorization` header
so `_resolve_user_from_api_key()` runs and fails; this function raises
`PermissionError("Invalid or expired API key...")` when `validate_api_key()`
returns no
user (see `superset/mcp_service/auth.py:316-48`).
3. Trigger a search via the synthetic `search_tools` tool so the search
transform calls
`_filter_tools_by_current_user_permission(tools)` (server search filter at
`superset/mcp_service/server.py:76-78`), which in turn calls
`_tool_allowed_for_current_user(tool)` (`server.py:400-422`) for each tool
while `g.user`
is still unset.
4. Inside `_tool_allowed_for_current_user`, the call to
`get_user_from_request()`
(`auth.py:379-77`) raises the `PermissionError` from step 2, which is caught
by the inner
`except (ValueError, PermissionError)` block at
`superset/mcp_service/server.py:413-417`;
this block treats the failure as a generic "can't resolve user" and returns
`not
getattr(func, "_class_permission_name", None)`, so tools without
`_class_permission_name`
(public tools) remain visible to the `search_tools` caller even though
credentials were
rejected, whereas the `tools/list` path in
`RBACToolVisibilityMiddleware.on_list_tools()`
(`superset/mcp_service/middleware.py:437-21`) explicitly treats
`PermissionError` as a
credential failure and returns an empty list, demonstrating that invalid
credentials
partially fail open only in search filtering.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=eeb5a0b599724aa7b97e96dda722c1dc&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=eeb5a0b599724aa7b97e96dda722c1dc&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/mcp_service/server.py
**Line:** 413:417
**Comment:**
*Security: Invalid credentials are currently handled as a partial
fail-open path in tool-search filtering: `PermissionError` (e.g., bad/expired
API key) falls into the same branch as missing-auth and still allows tools
without class permissions to be visible. That breaks the fail-closed behavior
implemented in `tools/list` and leaks discoverability to callers with rejected
credentials. Handle `PermissionError` as deny-all in this path (return
`False`), and reserve the public-tool fallback only for the explicit no-auth
case.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40098&comment_hash=1ab07b6da70c0c0d1ea77dd0956c030077476f188c1db73184314d5dcdf1f994&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40098&comment_hash=1ab07b6da70c0c0d1ea77dd0956c030077476f188c1db73184314d5dcdf1f994&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
