rusackas commented on code in PR #40664:
URL: https://github.com/apache/superset/pull/40664#discussion_r3338370386
##########
superset/extensions/utils.py:
##########
@@ -36,7 +36,9 @@
logger = logging.getLogger(__name__)
FRONTEND_REGEX = re.compile(r"^frontend/dist/([^/]+)$")
-BACKEND_REGEX = re.compile(r"^backend/src/(.+)$")
+# Reject parent ("..") path components so a crafted entry name cannot produce
+# a traversal-style module path (defense in depth; check_is_safe_zip runs
first).
+BACKEND_REGEX = re.compile(r"^backend/src/(?!.*\.\.)(.+)$")
Review Comment:
Bito's follow-up reiterates the original suggestion even after the
explanation above. The conservative `(?!.*\.\.)` guard is intentional —
extension module paths are Python import names and never contain consecutive
dots in practice, and `check_is_safe_zip` is the primary defense. Bito's
proposed replacement would incorrectly allow `..`-prefixed components; the
current pattern is the right call.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
