test(tasks): fix mypy attr-defined on object-typed stack_trace assertion

get_properties returns dict[str, object], so str() the value before
calling .startswith() to satisfy mypy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

superset/tasks/schemas.py

@@ -119,14 +119,21 @@ class TaskResponseSchema(Schema):
         return obj.payload_dict  # type: ignore[attr-defined]
 
     def get_properties(self, obj: object) -> dict[str, object]:
-        """Get properties dict, filtering stack_trace if SHOW_STACKTRACE is disabled."""
+        """Get properties dict, filtering debugging details when SHOW_STACKTRACE
+        is disabled."""
         from flask import current_app
 
         properties = dict(obj.properties_dict)  # type: ignore[attr-defined]
 
-        # Remove stack_trace unless SHOW_STACKTRACE is enabled
+        # Remove internal debugging details unless SHOW_STACKTRACE is enabled.
+        # The full traceback and the raw exception class name disclose internal
+        # file paths, library versions, and architecture details (CWE-209), so
+        # they are gated behind the same flag that controls stack traces
+        # elsewhere in Superset. ``error_message`` is left in place as the
+        # consumer-facing failure reason.
         if not current_app.config.get("SHOW_STACKTRACE", False):
             properties.pop("stack_trace", None)
+            properties.pop("exception_type", None)
 
         return properties
 

tests/unit_tests/tasks/test_schemas.py

@@ -0,0 +1,65 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from types import SimpleNamespace
+
+from flask import current_app
+from pytest_mock import MockerFixture
+
+from superset.tasks.schemas import TaskResponseSchema
+
+
+def _task_with_error_properties() -> SimpleNamespace:
+    return SimpleNamespace(
+        properties_dict={
+            "is_abortable": True,
+            "progress_percent": 1.0,
+            "error_message": "boom",
+            "exception_type": "KeyError",
+            "stack_trace": 'Traceback (most recent call last):\n  File "/app/x.py"',
+        }
+    )
+
+
+def test_get_properties_hides_debug_fields_by_default(app_context: None) -> None:
+    """
+    By default (SHOW_STACKTRACE disabled) the serialized task properties must
+    not disclose the stack trace or the raw exception class name (CWE-209),
+    while still returning consumer-safe fields like error_message.
+    """
+    properties = TaskResponseSchema().get_properties(_task_with_error_properties())
+
+    assert "stack_trace" not in properties
+    assert "exception_type" not in properties
+    # consumer-safe fields are preserved
+    assert properties["error_message"] == "boom"
+    assert properties["is_abortable"] is True
+    assert properties["progress_percent"] == 1.0
+
+
+def test_get_properties_exposes_debug_fields_when_show_stacktrace(
+    app_context: None, mocker: MockerFixture
+) -> None:
+    """
+    When SHOW_STACKTRACE is explicitly enabled, the debugging fields are
+    returned (parity with how Superset surfaces stack traces elsewhere).
+    """
+    mocker.patch.dict(current_app.config, {"SHOW_STACKTRACE": True})
+
+    properties = TaskResponseSchema().get_properties(_task_with_error_properties())
+
+    assert properties["exception_type"] == "KeyError"
+    assert str(properties["stack_trace"]).startswith("Traceback")