codeant-ai-for-open-source[bot] commented on code in PR #40769:
URL: https://github.com/apache/superset/pull/40769#discussion_r3435341365
##########
superset/views/core.py:
##########
@@ -853,7 +853,11 @@ def dashboard_permalink(
) -> FlaskResponse:
try:
value = GetDashboardPermalinkCommand(key).run()
- except (DashboardPermalinkGetFailedError, DashboardAccessDeniedError)
as ex:
+ except DashboardAccessDeniedError as ex:
+ if not get_current_user():
+ return redirect_to_login()
+ return json_error_response(__("Error: %(msg)s", msg=ex.message),
status=404)
Review Comment:
**Suggestion:** The authenticated access-denied branch returns HTTP 404 but
includes the explicit "you don't have access" message, which leaks that the
permalink key maps to a real protected dashboard and breaks the not-found
masking pattern used elsewhere. Return a generic not-found response/body (or
abort 404) for this branch so unauthorized users cannot distinguish valid
private permalinks from nonexistent ones. [security]
<details>
<summary><b>Severity Level:</b> Major ⚠️</summary>
```mdx
- ❌ Dashboard permalink reveals private dashboards to unauthorized logged-in
users.
- ⚠️ Inconsistent with main dashboard view's masked 404 behavior.
```
</details>
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Configure a Superset instance where user U has general access but not to
a specific
dashboard D, so that `DashboardDAO.get_by_id_or_slug` raises
`DashboardAccessDeniedError`
for D (see `superset/daos/dashboard.py:37-60` where
`dashboard.raise_for_access()` maps
`SupersetSecurityException` to `DashboardAccessDeniedError`).
2. As another user with access to D, create or obtain a dashboard permalink
for D so a
valid key exists, which will be resolved by
`GetDashboardPermalinkCommand.run()` (see
`superset/commands/dashboard/permalink/get.py:42-50` where the key is
decoded and
`DashboardDAO.get_by_id_or_slug(value["dashboardId"])` is called).
3. Log in as user U (so `get_current_user()` is truthy) and request `GET
/superset/dashboard/p/<key>/` which is routed to `dashboard_permalink` at
`superset/views/core.py:848-853` (`@expose("/dashboard/p/<key>/",
methods=("GET",))` and
`def dashboard_permalink(self, key: str)`).
4. During this request, `GetDashboardPermalinkCommand(key).run()` raises
`DashboardAccessDeniedError` for U; the `except DashboardAccessDeniedError
as ex` block at
`superset/views/core.py:856-859` handles it, and because
`get_current_user()` is true,
execution reaches line 859 returning `json_error_response(__("Error:
%(msg)s",
msg=ex.message), status=404)`. Since `DashboardAccessDeniedError.message` is
`"You don't
have access to this dashboard."`
(`superset/commands/dashboard/exceptions.py:93-95`), user
U observes a 404 with an explicit permission-denied body, while
invalid/nonexistent
permalinks instead return `DashboardPermalinkGetFailedError` or `"permalink
state not
found"` responses (see `superset/views/core.py:860-862` and
`superset/commands/dashboard/permalink/get.py:51-57`), allowing U to
distinguish valid
private permalinks from nonexistent ones and breaking the masked-404 pattern
used in the
main dashboard view (`superset/views/core.py:790-36` where unauthorized
access results in
`abort(404)`).
```
</details>
[](https://app.codeant.ai/fix-in-ide?tool=cursor&prompt_id=fead91cf65994ce1afc49481926b0c2e&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
[](https://app.codeant.ai/fix-in-ide?tool=vscode-claude&prompt_id=fead91cf65994ce1afc49481926b0c2e&service=github&base_url=https%3A%2F%2Fgithub.com&org=apache&repo=apache%2Fsuperset)
*(Use Cmd/Ctrl + Click for best experience)*
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset/views/core.py
**Line:** 859:859
**Comment:**
*Security: The authenticated access-denied branch returns HTTP 404 but
includes the explicit "you don't have access" message, which leaks that the
permalink key maps to a real protected dashboard and breaks the not-found
masking pattern used elsewhere. Return a generic not-found response/body (or
abort 404) for this branch so unauthorized users cannot distinguish valid
private permalinks from nonexistent ones.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask
user if the user wants to fix the rest of the comments as well. if said yes,
then fetch all the comments validate the correctness and implement a minimal fix
```
</details>
<a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40769&comment_hash=99ad2ef5ff10f20659abc2250a83200c0367c501a85affd2fabeb69b856260e5&reaction=like'>👍</a>
| <a
href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F40769&comment_hash=99ad2ef5ff10f20659abc2250a83200c0367c501a85affd2fabeb69b856260e5&reaction=dislike'>👎</a>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
