Re: [PR] fix(network): validate target hostname in outbound requests [superset]

Sat, 13 Jun 2026 11:10:52 -0700 


sha174n commented on code in PR #39301:
URL: https://github.com/apache/superset/pull/39301#discussion_r3408384318


##########
superset/db_engine_specs/impala.py:
##########
@@ -209,8 +210,25 @@ def cancel_query(cls, cursor: Any, query: Query, 
cancel_query_id: str) -> bool:
         """
         try:
             impala_host = query.database.url_object.host
+            # The cancel call issues an outbound HTTP request from the
+            # Superset backend to whatever host the DB connection was
+            # configured with; validate it before the call to keep this
+            # path consistent with the dataset-import and webhook URL
+            # checks. Operators with internal Impala targets can opt out
+            # via IMPALA_CANCEL_QUERY_ALLOW_INTERNAL_HOSTS.
+            if not impala_host:
+                return False
+            if not app.config[
+                "IMPALA_CANCEL_QUERY_ALLOW_INTERNAL_HOSTS"
+            ] and not is_safe_host(impala_host):
+                logger.warning(
+                    "Impala cancel_query refused: target host is not allowed"
+                )
+                return False
             url = 
f"http://{impala_host}:25000/cancel_query?query_id={cancel_query_id}";
-            response = requests.post(url, timeout=3)
+            # Do not follow redirects: a validated host could otherwise 30x the
+            # request to an internal target, bypassing the is_safe_host check.

Review Comment:
   Good catch on the re-resolution window. The host check here is a 
defense-in-depth baseline that blocks the direct case. Fully closing the gap 
between validation and the request means pinning the resolved address across 
every outbound path (Impala cancel, webhook, dataset fetch), which is a larger 
cross-cutting change. Tracking that as a dedicated follow-up rather than 
folding it into this PR; the host validation stays as the baseline here.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to