github-advanced-security[bot] commented on code in PR #33976:
URL: https://github.com/apache/superset/pull/33976#discussion_r2321429051
##########
superset/mcp_service/bin/superset-mcp.js:
##########
@@ -0,0 +1,227 @@
+#!/usr/bin/env node
+
+/**
+ * Apache Superset MCP Server Runner
+ *
+ * This script provides an npx-compatible runner for the Superset MCP service.
+ * It handles both stdio and HTTP transport modes and manages Python
environment setup.
+ */
+
+const { spawn, execSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+const os = require('os');
+
+// Parse command line arguments
+const args = process.argv.slice(2);
+const isStdio = args.includes('--stdio') || process.env.FASTMCP_TRANSPORT ===
'stdio';
+const isHttp = args.includes('--http') || (!isStdio &&
!args.includes('--stdio'));
+const isDebug = args.includes('--debug') || process.env.MCP_DEBUG === '1';
+const showHelp = args.includes('--help') || args.includes('-h');
+
+// Configuration
+const DEFAULT_PORT = process.env.MCP_PORT || '5008';
+const DEFAULT_HOST = process.env.MCP_HOST || '127.0.0.1';
+
+// Show help
+if (showHelp) {
+ console.log(`
+Apache Superset MCP Server
+
+Usage: npx @superset/mcp-server [options]
+
+Options:
+ --stdio Run in stdio mode for direct Claude Desktop integration
+ --http Run in HTTP mode (default)
+ --port PORT HTTP port to bind to (default: ${DEFAULT_PORT})
+ --host HOST HTTP host to bind to (default: ${DEFAULT_HOST})
+ --debug Enable debug mode
+ --help Show this help message
+
+Environment Variables:
+ FASTMCP_TRANSPORT Transport mode (stdio or http)
+ MCP_PORT HTTP port (default: ${DEFAULT_PORT})
+ MCP_HOST HTTP host (default: ${DEFAULT_HOST})
+ MCP_DEBUG Enable debug (set to 1)
+ PYTHONPATH Python path including Superset root
+ SUPERSET_CONFIG_PATH Path to superset_config.py
+
+Examples:
+ # Run in stdio mode for Claude Desktop
+ npx @superset/mcp-server --stdio
+
+ # Run in HTTP mode on custom port
+ npx @superset/mcp-server --http --port 6000
+
+ # Run with debug output
+ npx @superset/mcp-server --debug
+`);
+ process.exit(0);
+}
+
+// Find Superset root directory
+function findSupersetRoot() {
+ // Start from the mcp_service directory
+ let currentDir = path.resolve(__dirname, '..');
+
+ // Walk up until we find the superset root (contains setup.py or
pyproject.toml)
+ while (currentDir !== path.dirname(currentDir)) {
+ if (fs.existsSync(path.join(currentDir, 'pyproject.toml')) ||
+ fs.existsSync(path.join(currentDir, 'setup.py'))) {
+ // Check if it's actually the superset root (has superset
directory)
+ if (fs.existsSync(path.join(currentDir, 'superset'))) {
+ return currentDir;
+ }
+ }
+ currentDir = path.dirname(currentDir);
+ }
+
+ // Fallback to environment variable
+ if (process.env.PYTHONPATH) {
+ return process.env.PYTHONPATH;
+ }
+
+ throw new Error('Could not find Superset root directory. Please set
PYTHONPATH environment variable.');
+}
+
+// Find Python executable
+function findPython() {
+ // Check for virtual environment in common locations
+ const supersetRoot = findSupersetRoot();
+ const venvPaths = [
+ path.join(supersetRoot, 'venv', 'bin', 'python'),
+ path.join(supersetRoot, '.venv', 'bin', 'python'),
+ path.join(supersetRoot, 'venv', 'Scripts', 'python.exe'),
+ path.join(supersetRoot, '.venv', 'Scripts', 'python.exe'),
+ ];
+
+ for (const venvPath of venvPaths) {
+ if (fs.existsSync(venvPath)) {
+ return venvPath;
+ }
+ }
+
+ // Check if python3 is available
+ try {
+ execSync('python3 --version', { stdio: 'ignore' });
+ return 'python3';
+ } catch (e) {
+ // Fall back to python
+ return 'python';
+ }
+}
+
+// Check Python and Superset installation
+function checkEnvironment() {
+ const python = findPython();
+ const supersetRoot = findSupersetRoot();
+
+ console.error(`Using Python: ${python}`);
+ console.error(`Superset root: ${supersetRoot}`);
+
+ // Check if Superset is installed
+ try {
+ execSync(`${python} -c "import superset"`, {
Review Comment:
## Shell command built from environment values
This shell command depends on an uncontrolled [absolute path](1).
This shell command depends on an uncontrolled [absolute path](2).
[Show more
details](https://github.com/apache/superset/security/code-scanning/2048)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
