rusackas opened a new pull request, #40665: URL: https://github.com/apache/superset/pull/40665
### SUMMARY The SSH tunnel `server_address` (`DatabaseSSHTunnel` schema) accepted arbitrary text with no format validation. While the current paramiko-based `sshtunnel` library doesn't shell out, an unvalidated host is a latent SSRF surface (and a footgun against future implementation changes) — ASVS 1.2.5 / CWE-918. This constrains `server_address` to a plausible hostname / IP literal — `^[A-Za-z0-9._:\-\[\]]+$`, length 1–256 — rejecting values carrying URL structure (`http://…`, `file://…`), whitespace, or path separators (`../`). Defense-in-depth format validation only (no allowlist/denylist config, which the finding lists as optional). ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/databases/schema_tests.py -k ssh_tunnel ``` New test: accepts hostnames / IPv4 / `[::1]` / internal names; rejects `http://evil/`, `1.2.3.4/../x`, whitespace, and `file:///…`. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
