rusackas opened a new pull request, #40668: URL: https://github.com/apache/superset/pull/40668
### SUMMARY Extensions execute arbitrary Python, but once a valid `.supx` (or `LOCAL_EXTENSIONS`) bundle is discovered it is loaded unconditionally — there is no way for an operator to refuse a specific extension known to be vulnerable or undesirable (ASVS 15.2.1, CWE-1104). This adds an **`EXTENSION_BLOCKLIST`** config. Each entry is either: - an extension **id** (blocks every version of that extension), or - **`"<id>@<version>"`** (blocks only that exact version). `get_extensions()` now skips blocklisted extensions (with a warning) in **both** load paths — `LOCAL_EXTENSIONS` and the `EXTENSIONS_PATH` discovery. Default is `[]` (no change to existing behavior). This is the self-contained slice of the extension supply-chain finding; the full vulnerability-database / dependency-audit integration (OSV/GHSA, max-age) remains out of scope. ### TESTING INSTRUCTIONS ``` pytest tests/unit_tests/extensions/test_utils.py ``` New test covers `is_extension_blocked`: empty list allows all; an id blocks all its versions; `<id>@<version>` blocks only that version. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
