rusackas opened a new pull request, #40625: URL: https://github.com/apache/superset/pull/40625
### SUMMARY The async-queries WebSocket server (`superset-websocket`) authenticated upgrade requests via the JWT cookie but never validated the request `Origin`. Browsers attach cookies to cross-site WebSocket handshakes when the cookie's `SameSite` policy permits — notably when a deployment sets `GLOBAL_ASYNC_QUERIES_JWT_COOKIE_SAMESITE = "None"` (common for embedded dashboards). In that configuration a malicious page visited by an authenticated user could open a WebSocket on the victim's channel and receive their async query result events (Cross-Site WebSocket Hijacking). This adds an optional origin allowlist: - New `allowedOrigins` config option and `ALLOWED_ORIGINS` env var (comma-separated). - The upgrade handler now rejects (destroys the socket) when the request `Origin` is not in the list. - **Backward compatible:** an empty list (the default) skips the check and accepts any origin, preserving today's behavior. A single `"*"` entry explicitly allows any origin. Operators are encouraged to set `allowedOrigins` to the origin Superset is served from. Documented in the README and `config.example.json`. ### TESTING INSTRUCTIONS ``` cd superset-websocket npm ci npm test ``` New tests: - `isOriginAllowed`: empty list → allow; `"*"` → allow; exact match → allow; non-match / missing origin → reject. - `httpUpgrade` origin validation: disallowed origin and missing origin are rejected (socket destroyed, no upgrade); allowed origin proceeds. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
