Copilot commented on code in PR #40665:
URL: https://github.com/apache/superset/pull/40665#discussion_r3338873110
##########
superset/databases/schemas.py:
##########
@@ -449,7 +449,21 @@ class DatabaseSSHTunnel(Schema):
id = fields.Integer(
allow_none=True, metadata={"description": "SSH Tunnel ID (for
updates)"}
)
- server_address = fields.String()
+ # Restrict the SSH tunnel host to a plausible hostname / IP literal. This
+ # rejects values carrying URL structure, whitespace, or path separators —
+ # defense in depth against using the tunnel host as an SSRF vector.
+ server_address = fields.String(
+ validate=[
+ Length(min=1, max=256),
+ Regexp(
+ r"^[A-Za-z0-9._:\-\[\]]+$",
+ error=(
+ "server_address must be a valid hostname or IP address "
+ "(letters, digits, '.', '-', ':' only)"
+ ),
Review Comment:
The Regexp validator permits additional characters (`_`, `[` and `]`) but
the error message claims only `.`, `-`, and `:` are allowed. This mismatch will
confuse users when values containing `_` or IPv6 bracket notation are
accepted/rejected.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
