rusackas opened a new pull request, #40587: URL: https://github.com/apache/superset/pull/40587
### SUMMARY The task REST API (`TaskRestApi`, scoped per-user) returns the full task `properties` dict via `TaskResponseSchema`. That schema already stripped `stack_trace` unless `SHOW_STACKTRACE` is enabled, but **`exception_type`** (the raw exception class name, e.g. `OperationalError`) was returned unconditionally — disclosing internal library/architecture details in consumer-facing responses (CWE-209 / ASVS 16.5.1). This change filters `exception_type` alongside `stack_trace`, behind the same `SHOW_STACKTRACE` flag Superset already uses to gate traceback exposure. `error_message` is intentionally left in place — it is the consumer-facing failure reason shown in the UI. ### Investigation / scope I traced every place task `properties` is serialized to confirm this is the only consumer-facing exposure: - **`TaskResponseSchema.get_properties`** (REST API show/list) — the affected path. **Fixed here.** - **`superset/mcp_service/task/schemas.py` (`TaskInfo`)** — does not expose `properties` at all. No change needed. - **`TaskManager.publish_completion` / `publish_abort`** (Redis pub/sub) — only send `uuid` + `status`. No change needed. - **`Task.to_dict()`** — returns properties unfiltered, but has **no callers** in the codebase. Left as-is; worth keeping in mind if it is ever wired to an endpoint. ### BEFORE / AFTER `GET /api/v1/task/<uuid>` → `properties` for a failed task: - **Before:** includes `exception_type` (and `error_message`); `stack_trace` already hidden. - **After:** `exception_type` and `stack_trace` hidden by default; `error_message` retained. Both reappear when `SHOW_STACKTRACE=True`. ### TESTING INSTRUCTIONS ```bash pytest tests/unit_tests/tasks/test_schemas.py -v ``` Adds coverage for both the default-hidden and `SHOW_STACKTRACE`-enabled paths. ### ADDITIONAL INFORMATION - [ ] Has associated issue: n/a (security scan finding, CWE-209) - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
