Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: refuse to start with default secret on non debug envs #23186

Merged
merged 6 commits into from
Mar 1, 2023
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docker/.env-non-dev
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ REDIS_PORT=6379
FLASK_ENV=production
SUPERSET_ENV=production
SUPERSET_LOAD_EXAMPLES=yes
SUPERSET_SECRET_KEY=TEST_NON_DEV_SECRET
CYPRESS_CONFIG=false
SUPERSET_PORT=8088
MAPBOX_API_KEY=''
3 changes: 2 additions & 1 deletion superset/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,8 @@ def _try_json_readsha(filepath: str, length: int) -> Optional[str]:
SQLALCHEMY_TRACK_MODIFICATIONS = False
# ---------------------------------------------------------

# Your App secret key. Make sure you override it on superset_config.py.
# Your App secret key. Make sure you override it on superset_config.py
# or use `SUPERSET_SECRET_KEY` environment variable.
# Use a strong complex alphanumeric string and use a tool to help you generate
# a sufficiently random sequence, ex: openssl rand -base64 42"
SECRET_KEY = CHANGE_ME_SECRET_KEY
Expand Down
19 changes: 18 additions & 1 deletion superset/initialization/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import logging
import os
import sys
from typing import Any, Callable, Dict, TYPE_CHECKING

import wtforms_json
Expand Down Expand Up @@ -458,7 +459,7 @@ def init_app_in_ctx(self) -> None:
self.init_views()

def check_secret_key(self) -> None:
if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
def log_default_secret_key_warning() -> None:
top_banner = 80 * "-" + "\n" + 36 * " " + "WARNING\n" + 80 * "-"
bottom_banner = 80 * "-" + "\n" + 80 * "-"
logger.warning(top_banner)
Expand All @@ -471,6 +472,22 @@ def check_secret_key(self) -> None:
)
logger.warning(bottom_banner)

if self.config["SECRET_KEY"] == CHANGE_ME_SECRET_KEY:
if "SUPERSET_SECRET_KEY" in os.environ:
self.config["SECRET_KEY"] = os.environ["SUPERSET_SECRET_KEY"]
return
if (
self.superset_app.debug
or self.superset_app.config["TESTING"]
or "PYTEST_CURRENT_TEST" in os.environ
):
logger.warning("Debug mode identified with default secret key")
log_default_secret_key_warning()
return
log_default_secret_key_warning()
logger.error("Refusing to start due to insecure SECRET_KEY")
sys.exit(1)
eschutho marked this conversation as resolved.
Show resolved Hide resolved

def init_app(self) -> None:
"""
Main entry point which will delegate to other methods in
Expand Down