codeant-ai-for-open-source[bot] commented on code in PR #37950: URL: https://github.com/apache/superset/pull/37950#discussion_r2817910804
########## docker/install-msodbcsql18.sh: ########## @@ -0,0 +1,70 @@ +#!/usr/bin/env bash +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +set -euo pipefail + +echo "[msodbcsql18] Installing Microsoft ODBC Driver 18 for SQL Server..." + +if [[ "${EUID}" -ne 0 ]]; then + echo "[msodbcsql18] This script must be run as root" >&2 + exit 1 +fi + +if [[ ! -f /etc/os-release ]]; then + echo "[msodbcsql18] Missing /etc/os-release; cannot determine distro" >&2 + exit 1 +fi + +# shellcheck disable=SC1091 +. /etc/os-release + +if [[ "${ID:-}" != "debian" ]]; then + echo "[msodbcsql18] Unsupported distro ID=${ID:-unknown}; expected debian" >&2 + exit 1 +fi + +DEBIAN_MAJOR="${VERSION_ID%%.*}" +if [[ -z "${DEBIAN_MAJOR}" ]]; then + echo "[msodbcsql18] Could not parse VERSION_ID=${VERSION_ID:-}" >&2 + exit 1 +fi + +# Microsoft packages repo is published per Debian major version. +# If we're on an unsupported/newer Debian, fall back to the latest known repo. +REPO_MAJOR="${DEBIAN_MAJOR}" +if [[ "${DEBIAN_MAJOR}" -gt 12 ]]; then + echo "[msodbcsql18] Debian ${DEBIAN_MAJOR} detected; falling back to Debian 12 repo for Microsoft packages." + REPO_MAJOR="12" +fi + +apt-get update -qq +apt-get install -yqq --no-install-recommends ca-certificates curl gnupg apt-transport-https + +# Add the Microsoft repo manually with [trusted=yes] to work around GPG +# signature issues. Microsoft's repo signing key uses SHA1, which newer +# versions of GnuPG / sqv reject (SHA1 deprecated since 2026-02-01). +curl -fsSL "https://packages.microsoft.com/keys/microsoft.asc"; | gpg --dearmor -o /usr/share/keyrings/microsoft-archive-keyring.gpg 2>/dev/null || true Review Comment: **Suggestion:** The Microsoft APT repository is configured with `[trusted=yes]`, which disables signature verification and allows potentially unsigned or tampered packages to be installed even though a keyring is created just above. [security] <details> <summary><b>Severity Level:</b> Critical 🚨</summary> ```mdx - ❌ msodbcsql18 installed without verifying Microsoft package signatures. - ⚠️ Increases supply-chain risk for SQL Server connectivity. ``` </details> ```suggestion echo "deb [signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/debian/${REPO_MAJOR}/prod $(. /etc/os-release && echo bookworm) main" \ ``` <details> <summary><b>Steps of Reproduction ✅ </b></summary> ```mdx 1. Run `docker/install-msodbcsql18.sh` as root on a Debian system that satisfies the earlier checks (`/etc/os-release` exists and `ID=debian`, lines 27–38). 2. The script writes `/etc/apt/sources.list.d/mssql-release.list` at line 60 with the entry `deb [trusted=yes] https://packages.microsoft.com/debian/${REPO_MAJOR}/prod ... main`, explicitly marking the Microsoft repository as trusted and bypassing signature verification. 3. Remove the Microsoft keyring file created at line 60 (`/usr/share/keyrings/microsoft-archive-keyring.gpg`) or ensure it does not exist, then run `apt-get update -qq` and `ACCEPT_EULA=Y apt-get install -yqq msodbcsql18` as invoked at lines 64–65. 4. Observe that `apt-get` successfully updates and installs `msodbcsql18` from `packages.microsoft.com` even though no valid signing key is available, confirming that `[trusted=yes]` causes packages from this repository to be accepted without cryptographic verification. ``` </details> <details> <summary><b>Prompt for AI Agent 🤖 </b></summary> ```mdx This is a comment left during a code review. **Path:** docker/install-msodbcsql18.sh **Line:** 60:60 **Comment:** *Security: The Microsoft APT repository is configured with `[trusted=yes]`, which disables signature verification and allows potentially unsigned or tampered packages to be installed even though a keyring is created just above. Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise. ``` </details> <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F37950&comment_hash=2c5b6caa3fee54dd3708db7db5ca9ad7bddd496a8256f0f129dad9795b480ddc&reaction=like'>👍</a> | <a href='https://app.codeant.ai/feedback?pr_url=https%3A%2F%2Fgithub.com%2Fapache%2Fsuperset%2Fpull%2F37950&comment_hash=2c5b6caa3fee54dd3708db7db5ca9ad7bddd496a8256f0f129dad9795b480ddc&reaction=dislike'>👎</a> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
