orbisai0security commented on PR #39645:
URL: https://github.com/apache/superset/pull/39645#issuecomment-4787754361
Hey, thanks for digging into this carefully.
You're reading it correctly. After the rebase, the diff is essentially just
the debug-log cleanup (stripping exception detail and missing scopes from the
logger.debug lines). The core security hardening, _FORBIDDEN_ALGORITHMS,
mandatory exp, int(exp) cast, does appear to already be on master.
Given that, I agree with your instinct: closing this as superseded makes
sense. No point carrying forward a PR whose security substance is already
covered.
One thing worth confirming before you close: the OverflowError gap flagged
by codeant-ai (exp=1e309 → float('inf') → int(inf) raises OverflowError, which
isn't in the except tuple and would return a 500 instead of a 401) is a real
bug in the pre-existing master code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
