korbit-ai[bot] commented on code in PR #31821:
URL: https://github.com/apache/superset/pull/31821#discussion_r1913720436
##########
docker/pythonpath_dev/superset_config.py:
##########
@@ -120,3 +122,31 @@ class CeleryConfig:
)
except ImportError:
logger.info("Using default Docker config...")
+
+# Basic secret key
+SECRET_KEY = os.getenv("SECRET_KEY", "your-constant-secret-key")
+ENCRYPTION_KEY = os.getenv("ENCRYPTION_KEY", "your-constant-encryption-key")
Review Comment:
### Hardcoded secret and encryption keys found. <sub></sub>
<details>
<summary>Tell me more</summary>
​
Security Issue: Hardcoded Secret Key and Encryption Key
The `SECRET_KEY` and `ENCRYPTION_KEY` are hardcoded with default values in
the `superset_config.py` file. Hardcoding sensitive information like secret
keys is a security risk because if the codebase is compromised, an attacker can
easily obtain these keys and use them for malicious purposes.
To resolve this issue, remove the hardcoded default values and ensure the
secret key and encryption key are loaded from environment variables or a secure
secrets management system at runtime. Do not commit the actual key values in
the codebase.
</details>
###### Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help
Korbit improve your reviews.
<!--- korbi internal id:b613949a-7258-448f-85e2-9edb52461d2c -->
##########
docker/pythonpath_dev/superset_config.py:
##########
@@ -120,3 +122,31 @@ class CeleryConfig:
)
except ImportError:
logger.info("Using default Docker config...")
+
+# Basic secret key
+SECRET_KEY = os.getenv("SECRET_KEY", "your-constant-secret-key")
+ENCRYPTION_KEY = os.getenv("ENCRYPTION_KEY", "your-constant-encryption-key")
+
+#
------------------------------------------------------------------------------
+# Keycloak (OpenID Connect) authentication config and other settings...
+#
------------------------------------------------------------------------------
+AUTH_TYPE = AUTH_OID
+OIDC_CLIENT_SECRETS = "/app/docker/pythonpath_dev/client_secret.json"
Review Comment:
### Non-configurable OIDC Client Secrets Path <sub></sub>
<details>
<summary>Tell me more</summary>
###### What is the issue?
Hardcoded path to client secrets file could cause authentication failures if
the file location changes or in different environments.
###### Why this matters
A non-configurable secrets file location reduces deployment flexibility and
could break authentication if the file is stored elsewhere.
###### Suggested change ∙ *Feature Preview*
Make the client secrets path configurable via environment variable:
```python
OIDC_CLIENT_SECRETS = os.getenv("OIDC_CLIENT_SECRETS",
"/app/docker/pythonpath_dev/client_secret.json")
```
</details>
###### Chat with Korbit by mentioning @korbit-ai, and give a 👍 or 👎 to help
Korbit improve your reviews.
<!--- korbi internal id:d1a73307-e35b-4e2e-bcd0-28afb9d4b201 -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
