codeant-ai-for-open-source[bot] commented on PR #36597: URL: https://github.com/apache/superset/pull/36597#issuecomment-3648022679
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36597/files#diff-3834c36280e1af5685801f3357578aaec5a110699a2b8eb97844c56b4400c091R635-R644'><strong>Security Concern</strong></a><br>Broadening allowed hosts while running a dev server can allow Host header based requests from arbitrary remote hosts. Ensure this change is only applied in development and consider explicit opt-in or narrower rules to avoid unintentionally exposing the dev server to untrusted networks.<br> - [ ] <a href='https://github.com/apache/superset/pull/36597/files#diff-3834c36280e1af5685801f3357578aaec5a110699a2b8eb97844c56b4400c091R635-R644'><strong>Possible Bug</strong></a><br>If `devserverHost` is set to `0.0.0.0` (common in Docker), adding that literal value to `allowedHosts` will not match incoming requests whose Host header is an actual external IP (e.g. `192.168.x.x`). In that case including `0.0.0.0` is ineffective. Consider special-casing `0.0.0.0`/`::` to allow hosts differently (e.g. `allowedHosts: "all"` or using `auto`) so external client Host headers are accepted when the server binds to all interfaces.<br> - [ ] <a href='https://github.com/apache/superset/pull/36597/files#diff-3834c36280e1af5685801f3357578aaec5a110699a2b8eb97844c56b4400c091R635-R644'><strong>Host Format Validation</strong></a><br>`devserverHost` may be provided through CLI/env and could include a protocol or port (e.g. `http://host:9000`). The current code inserts it directly into `allowedHosts`. Validate/sanitize the value to ensure only the hostname (no protocol/port) is added, otherwise match rules may fail.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
