sha174n commented on code in PR #40327:
URL: https://github.com/apache/superset/pull/40327#discussion_r3294519825
##########
docker/docker-bootstrap.sh:
##########
@@ -80,7 +80,19 @@ case "${1}" in
;;
app)
echo "Starting web app (using development server)..."
- flask run -p $PORT --reload --debugger --host=0.0.0.0 --exclude-patterns
"*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
+
+ # Environment-based debugger control for security
+ # Only enable Werkzeug interactive debugger when explicitly requested
+ # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth
approach
+ DEBUGGER_FLAG=""
+ if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
+ DEBUGGER_FLAG="--debugger"
+ echo " ⚠️ Werkzeug debugger enabled (requires PIN for /console
access)"
+ else
+ echo " 🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true
to enable)"
+ fi
+
+ flask run -p $PORT --reload $DEBUGGER_FLAG --host=0.0.0.0
--exclude-patterns
"*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"
Review Comment:
Addressed in 7186c98. Script now also exports FLASK_DEBUG=0 in the disabled
branch so the effective state matches the startup message even when docker/.env
or .flaskenv sets FLASK_DEBUG=true.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
