rusackas commented on PR #39646: URL: https://github.com/apache/superset/pull/39646#issuecomment-4700688444
Appreciate the report, but this sits outside our threat model. Configuring a database connection (host included) is a privileged operation, so a principal who can point a connector at an internal address is already inside the operator/admin trust boundary that SECURITY.md treats as trusted, it isn't a privilege boundary violation. You also flagged it yourself above, that the patch is too blunt for enterprise OAuth2 setups where the token endpoint may legitimately be internal, which is the core problem with blanket-blocking private ranges. Closing for now. If there's a path where an unprivileged role (Public/Gamma/sql_lab) can trigger one of these requests to an attacker-chosen host, that's a different conversation, so reopen with the specific role and we'll take another look. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
