codeant-ai-for-open-source[bot] commented on code in PR #40327:
URL: https://github.com/apache/superset/pull/40327#discussion_r3279844998
##########
docker/docker-bootstrap.sh:
##########
@@ -80,7 +80,19 @@ case "${1}" in
;;
app)
echo "Starting web app (using development server)..."
- flask run -p $PORT --reload --debugger --host=0.0.0.0 --exclude-patterns
"*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
+
+ # Environment-based debugger control for security
+ # Only enable Werkzeug interactive debugger when explicitly requested
+ # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth
approach
+ DEBUGGER_FLAG=""
+ if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
+ DEBUGGER_FLAG="--debugger"
+ echo " ⚠️ Werkzeug debugger enabled (requires PIN for /console
access)"
+ else
+ echo " 🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true
to enable)"
+ fi
+
+ flask run -p $PORT --reload $DEBUGGER_FLAG --host=0.0.0.0
--exclude-patterns
"*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
Review Comment:
**Suggestion:** The "debugger disabled by default" logic is ineffective
because when `FLASK_DEBUG=true` (which is the default in `docker/.env`), `flask
run` enables the debugger unless you explicitly pass `--no-debugger`. With the
current implementation, the `else` branch only omits `--debugger`, so
`/console` can still be active. Set the flag explicitly in both branches
(`--debugger` vs `--no-debugger`) so the runtime behavior matches the security
intent. [incorrect condition logic]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Superset dev container exposes Werkzeug debugger on port 8088.
- ⚠️ Environment flag misleads developers about debugger being disabled.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Start the Superset dev container using `docker-compose.yml` (service
`superset` defined
at `docker-compose.yml:8-28` from the Read output), which runs the command
`["/app/docker/docker-bootstrap.sh", "app"]` (line 16) and loads environment
from
`env_file` `docker/.env` (lines 8-12).
2. Observe that `docker/.env` sets `FLASK_DEBUG=true` by default at
`docker/.env:66-67`,
enabling Flask debug mode inside the container without setting
`SUPERSET_DEBUG_ENABLED`
(no default defined anywhere; the only reference is the condition at
`docker/docker-bootstrap.sh:29` from BulkRead).
3. In the container logs, see the message `🔒 Werkzeug debugger disabled (set
SUPERSET_DEBUG_ENABLED=true to enable)` emitted by the `else` branch at
`docker/docker-bootstrap.sh:32-34`, confirming that `SUPERSET_DEBUG_ENABLED`
is
unset/false and the "disabled" path executed while `DEBUGGER_FLAG` remains
an empty string
(initialized at `docker/docker-bootstrap.sh:28` and never changed in the
else branch).
4. Despite the "disabled" message, `flask run` is invoked as `flask run -p
$PORT --reload
$DEBUGGER_FLAG --host=0.0.0.0 ...` at `docker/docker-bootstrap.sh:36`; with
`FLASK_DEBUG=true` and no `--no-debugger` flag, Flask runs with the Werkzeug
interactive
debugger enabled, so accessing
`http://localhost:${SUPERSET_PORT:-8088}/console` in a
browser reaches the debugger console, demonstrating that omitting the flag
does not
actually disable the debugger as intended.
```
</details>
[Fix in
Cursor](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=411760f6da11417f8a55137524958bb0&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
| [Fix in VSCode
Claude](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=411760f6da11417f8a55137524958bb0&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** docker/docker-bootstrap.sh
**Line:** 87:95
**Comment:**
*Incorrect Condition Logic: The "debugger disabled by default" logic is
ineffective because when `FLASK_DEBUG=true` (which is the default in
`docker/.env`), `flask run` enables the debugger unless you explicitly pass
`--no-debugger`. With the current implementation, the `else` branch only omits
`--debugger`, so `/console` can still be active. Set the flag explicitly in
both branches (`--debugger` vs `--no-debugger`) so the runtime behavior matches
the security intent.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40327&comment_hash=8390c8d9a5c5f2d89d0b25006b919f7efafe18d38d644fbb19c75281bfcbcb88&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40327&comment_hash=8390c8d9a5c5f2d89d0b25006b919f7efafe18d38d644fbb19c75281bfcbcb88&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
