Reference: https://www.theregister.com/2023/04/25/apache_superset_cve/
superset's old version defaults to using "\2\1thisismyscretkey\1\2\\e\\y\\y\\h" as the encryption key for sessions and database table encryption, while the new version has changed it to 'USE_YOUR_OWN_SECURE_RANDOM_KEY'
After modifying this value in superset/config.py, it was found that the application was not functioning properly, reporting that the database could not be decrypted. After finding the commit mentioned in the article, it was discovered that SecretsMigrator was introduced to migrate data tables.
To correctly fix the old version, the following steps need to be taken:
- Modify SECRET_KEY in config.py
- Add a line PREVIOUS_SECRET_KEY="\2\1thisismyscretkey\1\2\e\y\y\h"
- Overwrite
utils/encrypt: wget https://github.com/apache/superset/blob/412189fcb73268ddd4829d2fdb8381c5e47595ce/superset/utils/encrypt.py - Modify
superset/cli.pyaccording to this commit - Execute superset re-encrypt-secrets