rusackas commented on PR #41162: URL: https://github.com/apache/superset/pull/41162#issuecomment-4734274703
Going to close this one. Digging in further, the base.py hardening here doesn't actually clear the two CodeQL alerts anyway... the flows they trace originate in the callers (api.py's `time_range` interpolating `str(error)`, and viz.py's `message=str(ex)`), not in base.py. And those are error *messages*, not stack traces. The genuine stack traces (`get_error_msg` / `get_stacktrace`) are already gated behind `SHOW_STACKTRACE`, which defaults to off. Per SECURITY.md, information disclosure through error messages that doesn't enable a concrete exploit is out of scope, so I'd rather not blank out those user-facing messages just to appease the scanner (it'd hurt UX for no real security gain). I've dismissed alerts #2461 and #2540 as won't-fix with that rationale. Happy to reopen if anyone disagrees. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
