rusackas commented on code in PR #40665:
URL: https://github.com/apache/superset/pull/40665#discussion_r3342385133
##########
superset/databases/schemas.py:
##########
@@ -449,7 +449,21 @@ class DatabaseSSHTunnel(Schema):
id = fields.Integer(
allow_none=True, metadata={"description": "SSH Tunnel ID (for
updates)"}
)
- server_address = fields.String()
+ # Restrict the SSH tunnel host to a plausible hostname / IP literal. This
+ # rejects values carrying URL structure, whitespace, or path separators —
+ # defense in depth against using the tunnel host as an SSRF vector.
+ server_address = fields.String(
+ validate=[
+ Length(min=1, max=256),
+ Regexp(
+ r"^[A-Za-z0-9._:\-\[\]]+$",
+ error=(
+ "server_address must be a valid hostname or IP address "
+ "(letters, digits, '.', '-', ':' only)"
+ ),
Review Comment:
Good catch — the message did omit `_`, `[` and `]`, which the pattern allows
(and the tests exercise via `bastion_host` and `[::1]`). Fixed in 6f021d7 by
listing all permitted characters in the error string.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
