修复superset默认的key CVE-2023-27524

May 21, 2023273

AI-generated summary

The article discusses a vulnerability in an older version of Apache Superset, a data visualization and exploration platform. The older version uses a default encryption key for session and database table encryption. The key has been changed in the newer version. Modifying the key value in the configuration file caused the application to malfunction, reporting database decryption errors. The article suggests making certain modifications to fix the issue in the older version. These modifications include changing the SECRET_KEY in the configuration file, adding a PREVIOUS_SECRET_KEY, downloading a specific version of the encrypt.py file, modifying the cli.py file, and executing a command to re-encrypt secrets.

参考： https://www.theregister.com/2023/04/25/apache_superset_cve/

superset 旧版本默认使用"\2\1thisismyscretkey\1\2\\e\\y\\y\\h" 作为加密的 key，用于 sesison 和数据库表的加密，新版本则改为了'USE_YOUR_OWN_SECURE_RANDOM_KEY'

在修改 superset/config.py 中此项的值后发现应用不正常，报错数据库无法解密，找到了文中提到的 commit 发现果然有玄机，引入了 SecretsMigrator 来做数据表的迁移

所以要正确完成旧版本的修复，需要做的：

修改 config.py 中的 SECRET_KEY
增加一项 PREVIOUS_SECRET_KEY="\2\1thisismyscretkey\1\2\e\y\y\h"
覆盖utils/encrypt: wget https://github.com/apache/superset/blob/412189fcb73268ddd4829d2fdb8381c5e47595ce/superset/utils/encrypt.py
修改superset/cli.py 按照这个commit对着修改就行
执行 superset re-encrypt-secrets