rusackas opened a new pull request, #40638:
URL: https://github.com/apache/superset/pull/40638
### SUMMARY
A few small hardening improvements around key generation and token handling:
1. **`random_key` entropy** (`superset/key_value/utils.py`): the default
`nbytes` is raised from 8 (64-bit) to 16 (128-bit), and a `ValueError` guard
rejects any caller that requests fewer than 16 bytes so security-sensitive keys
cannot opt into weaker entropy. Existing stored keys are unaffected — only
newly generated keys change. All callers were audited: every call site uses
`random_key()` (now 16 bytes) or `random_key(48)`; none depends on the old
8-byte length or passes a smaller value.
2. **MD5 fallback deprecation note** (`superset/key_value/utils.py`): the
legacy MD5 namespace path (`_uuid_namespace_from_md5`, used when
`HASH_ALGORITHM='md5'`) now emits a `logger.warning` and carries a code comment
noting it is deprecated in favor of SHA-256. The path is retained for
back-compat and is not removed.
3. **Async-query JWT expiry**
(`superset/async_events/async_query_manager.py`): the async-query JWT was
issued without an `exp` claim. It now includes one, with the lifetime
controlled by a new config `GLOBAL_ASYNC_QUERIES_JWT_EXPIRATION_SECONDS`
(default 1 hour). The decode path (`parse_channel_id_from_request`) does not
set `options={"verify_exp": False}`, so PyJWT validates `exp` automatically —
the verifier side needs no change.
### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF
N/A
### TESTING INSTRUCTIONS
`python -m pytest tests/unit_tests/key_value/utils_test.py
tests/unit_tests/async_events/async_query_manager_tests.py -q`
New/updated unit tests cover:
- `random_key()` returns >= 128-bit by default and rejects `nbytes < 16`
- The deprecated MD5 namespace path emits a warning
- The async token carries an `exp` claim and an expired token is rejected by
the decode path
### ADDITIONAL INFORMATION
- [ ] Has associated issue:
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration (follow approval process in
[SIP-59](https://github.com/apache/superset/issues/13351))
- [ ] Migration is atomic, supports rollback & is backwards-compatible
- [ ] Confirm DB migration upgrade and downgrade tested
- [ ] Runtime estimates and downtime expectations provided
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
