rusackas commented on code in PR #40665:
URL: https://github.com/apache/superset/pull/40665#discussion_r3338260289
##########
superset/databases/schemas.py:
##########
@@ -449,7 +449,21 @@ class DatabaseSSHTunnel(Schema):
id = fields.Integer(
allow_none=True, metadata={"description": "SSH Tunnel ID (for
updates)"}
)
- server_address = fields.String()
+ # Restrict the SSH tunnel host to a plausible hostname / IP literal. This
+ # rejects values carrying URL structure, whitespace, or path separators —
+ # defense in depth against using the tunnel host as an SSRF vector.
+ server_address = fields.String(
+ validate=[
+ Length(min=1, max=256),
+ Regexp(
+ r"^[A-Za-z0-9._:\-\[\]]+$",
+ error=(
+ "server_address must be a valid hostname or IP address "
+ "(letters, digits, '.', '-', ':' only)"
+ ),
+ ),
Review Comment:
The regex intentionally includes and to allow IPv6 literals like . A value
of would pass validation, but since is a separate required field in the
schema, any port embedded in would ultimately cause the SSH connection to fail
(the tunnel client would try to DNS-resolve as a hostname). The regex's
purpose is blocking SSRF vectors like URL schemes, paths, and whitespace — not
preventing all malformed input. We could tighten it to reject bare colons
outside , but that adds complexity for an edge case. Leaving as-is for now; can
follow up if there are real-world issues.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
