bito-code-review[bot] commented on code in PR #40653:
URL: https://github.com/apache/superset/pull/40653#discussion_r3366346229
##########
superset/mcp_service/auth.py:
##########
@@ -117,6 +195,39 @@ def __init__(
super().__init__(message)
+def _log_scope_denial(
+ func: Callable[..., Any],
+ method_permission_name: str,
+ permission_str: str,
+ class_permission_name: str,
+ *,
+ log_denial: bool,
+) -> None:
+ """Log a scope-based denial for a tool the user has RBAC access to.
+
+ Extracted from ``check_tool_permission`` to keep that function's
+ cyclomatic complexity in check.
+ """
+ required_scope = _METHOD_TO_REQUIRED_SCOPE.get(method_permission_name)
+ if log_denial:
+ logger.warning(
+ "Scope denied for user %s: token lacks required scope "
+ "'%s' for %s on %s (tool: %s)",
+ g.user.username,
Review Comment:
<!-- Bito Reply -->
The application of `_sanitize_for_log()` to `g.user.username` in the warning
branch of `_log_scope_denial` is appropriate. This change correctly addresses
the identified log injection risk by escaping control characters, ensuring
consistency with existing sanitization practices in the file.
**superset/mcp_service/auth.py**
```
logger.warning(
"Scope denied for user %s: token lacks required scope "
"'%s' for %s on %s (tool: %s)",
- g.user.username,
+ _sanitize_for_log(g.user.username),
required_scope,
permission_str,
class_permission_name,
```
##########
superset/mcp_service/auth.py:
##########
@@ -117,6 +195,39 @@ def __init__(
super().__init__(message)
+def _log_scope_denial(
+ func: Callable[..., Any],
+ method_permission_name: str,
+ permission_str: str,
+ class_permission_name: str,
+ *,
+ log_denial: bool,
+) -> None:
+ """Log a scope-based denial for a tool the user has RBAC access to.
+
+ Extracted from ``check_tool_permission`` to keep that function's
+ cyclomatic complexity in check.
+ """
+ required_scope = _METHOD_TO_REQUIRED_SCOPE.get(method_permission_name)
+ if log_denial:
+ logger.warning(
+ "Scope denied for user %s: token lacks required scope "
+ "'%s' for %s on %s (tool: %s)",
+ g.user.username,
+ required_scope,
+ permission_str,
+ class_permission_name,
+ func.__name__,
+ )
+ else:
+ logger.debug(
+ "Tool hidden for user %s: token lacks required scope '%s' (tool:
%s)",
+ g.user.username,
Review Comment:
<!-- Bito Reply -->
The update correctly applies the sanitization function to the username in
the debug log branch, ensuring consistency with the warning branch and
mitigating the identified log injection risk (CWE-117). This change is
appropriate and follows the recommended security practice for logging
user-provided input.
**superset/mcp_service/auth.py**
```
logger.debug(
"Tool hidden for user %s: token lacks required scope '%s' (tool:
%s)",
_sanitize_for_log(g.user.username),
required_scope,
func.__name__,
)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
