fix(security): harden password-complexity config handling + document default

Address review feedback on the password-complexity validator:
- Coerce AUTH_PASSWORD_MIN_LENGTH (may arrive as a string via env vars or be
  None), falling back to the default instead of raising TypeError.
- Treat a misconfigured string AUTH_PASSWORD_COMMON_BLOCKLIST as a single
  entry rather than iterating characters; use casefold() for correct
  case-insensitive matching of non-ASCII passwords.
- Document the default-on policy and its config knobs in UPDATING.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

UPDATING.md

@@ -45,6 +45,19 @@ service requires visible `© OpenStreetMap contributors` attribution and should
 be used through normal browser map tile requests and caching; it is not intended
 for bulk prefetch or offline tile downloads.
 
+### Password complexity policy enabled by default
+
+Superset now ships a default password-complexity policy, enforced (via Flask-AppBuilder) across self-registration, the user create/edit/reset forms, and the User REST API. The policy requires a minimum password length of 8 characters and rejects a built-in blocklist of common/guessable passwords.
+
+This is enabled by default (`FAB_PASSWORD_COMPLEXITY_ENABLED = True`), so new or reset passwords that are too short or appear in the blocklist will be rejected where they were previously accepted. Existing stored passwords are unaffected until they are next changed.
+
+Operators can tune or disable the policy via config:
+
+- `AUTH_PASSWORD_MIN_LENGTH` — minimum length (default `8`).
+- `AUTH_PASSWORD_COMMON_BLOCKLIST` — extra passwords to reject, in addition to the built-in list.
+- `FAB_PASSWORD_COMPLEXITY_VALIDATOR` — replace with your own callable for custom rules.
+- `FAB_PASSWORD_COMPLEXITY_ENABLED = False` — disable enforcement entirely.
+
 ### Duration formatter precision
 
 The `DURATION` number formatter now uses `Intl.DurationFormat` for locale-aware output. By default, sub-second fields are omitted, so values that previously displayed fractional seconds with `pretty-ms`, such as `10500` milliseconds rendering as `10.5s`, now render as `10s`.

superset/config.py

@@ -362,6 +362,20 @@ RATELIMIT_ENABLED = os.environ.get("SUPERSET_ENV") == "production"
 RATELIMIT_APPLICATION = "50 per second"
 AUTH_RATE_LIMITED = True
 AUTH_RATE_LIMIT = "5 per second"
+
+# Password complexity policy, enforced (via Flask-AppBuilder) across
+# self-registration, the user edit/reset forms, and the User REST API.
+# The Superset validator requires a minimum length and rejects common
+# passwords; tune via AUTH_PASSWORD_MIN_LENGTH / AUTH_PASSWORD_COMMON_BLOCKLIST,
+# or replace FAB_PASSWORD_COMPLEXITY_VALIDATOR with your own callable.
+from superset.security.password_complexity import (  # noqa: E402
+    validate_password_complexity as _validate_password_complexity,
+)
+
+FAB_PASSWORD_COMPLEXITY_ENABLED = True
+FAB_PASSWORD_COMPLEXITY_VALIDATOR = _validate_password_complexity
+AUTH_PASSWORD_MIN_LENGTH = 8
+AUTH_PASSWORD_COMMON_BLOCKLIST: list[str] = []
 # A storage location conforming to the scheme in storage-scheme. See the limits
 # library for allowed values: https://limits.readthedocs.io/en/stable/storage.html
 # RATELIMIT_STORAGE_URI = "redis://host:port"

superset/security/password_complexity.py

@@ -0,0 +1,121 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+"""Superset password-complexity validator.
+
+Wired in via ``FAB_PASSWORD_COMPLEXITY_VALIDATOR`` (with
+``FAB_PASSWORD_COMPLEXITY_ENABLED``). Flask-AppBuilder runs this callable from
+both the WTForms password fields (self-registration, user edit, reset password)
+and the User REST API, so a single function enforces the policy across all
+password-setting flows.
+
+The default policy is a minimum length plus a common-password blocklist —
+intentionally less draconian than FAB's built-in ``default_password_complexity``
+(which requires 2 uppercase, 1 special, 2 digits, 3 lowercase and length 10).
+"""
+
+from __future__ import annotations
+
+from flask import current_app
+from flask_appbuilder.exceptions import PasswordComplexityValidationError
+from flask_babel import gettext as __
+
+# A small built-in blocklist of the most common/guessable passwords. Operators
+# can extend it with AUTH_PASSWORD_COMMON_BLOCKLIST. (A fuller list or a
+# Have-I-Been-Pwned k-anonymity check is a possible follow-up.)
+COMMON_PASSWORDS: frozenset[str] = frozenset(
+    {
+        "123456",
+        "123456789",
+        "12345678",
+        "1234567890",
+        "12345",
+        "111111",
+        "123123",
+        "000000",
+        "password",
+        "password1",
+        "password123",
+        "passw0rd",
+        "qwerty",
+        "qwerty123",
+        "qwertyuiop",
+        "abc123",
+        "letmein",
+        "welcome",
+        "welcome1",
+        "admin",
+        "admin123",
+        "administrator",
+        "root",
+        "superset",
+        "changeme",
+        "iloveyou",
+        "monkey",
+        "dragon",
+        "sunshine",
+        "princess",
+        "football",
+        "baseball",
+        "trustno1",
+        "login",
+        "master",
+        "hello123",
+        "secret",
+        "default",
+    }
+)
+
+DEFAULT_MIN_LENGTH = 8
+
+
+def validate_password_complexity(password: str) -> None:
+    """Validate a plaintext password against the configured policy.
+
+    :raises PasswordComplexityValidationError: if the password is too short or
+        appears in the common-password blocklist.
+    """
+    raw_min_length = current_app.config.get(
+        "AUTH_PASSWORD_MIN_LENGTH", DEFAULT_MIN_LENGTH
+    )
+    # Operators commonly wire config via env vars, so AUTH_PASSWORD_MIN_LENGTH can
+    # arrive as a string (or be left unset/None). Coerce defensively and fall back
+    # to the default rather than blowing up every password-setting flow with a
+    # TypeError on the length comparison.
+    try:
+        min_length = int(raw_min_length)
+    except (TypeError, ValueError):
+        min_length = DEFAULT_MIN_LENGTH
+
+    if len(password) < min_length:
+        raise PasswordComplexityValidationError(
+            __(
+                "Password must be at least %(min_length)s characters long.",
+                min_length=min_length,
+            )
+        )
+
+    extra = current_app.config.get("AUTH_PASSWORD_COMMON_BLOCKLIST") or []
+    # A bare string is iterable but would be split into characters, so treat a
+    # misconfigured string as a single entry. casefold() gives correct
+    # case-insensitive matching for non-ASCII passwords too.
+    if isinstance(extra, str):
+        extra = [extra]
+    blocklist = COMMON_PASSWORDS | {str(item).casefold() for item in extra}
+    if password.casefold() in blocklist:
+        raise PasswordComplexityValidationError(
+            __("This password is too common; please choose a less guessable one.")
+        )

tests/unit_tests/security/test_password_complexity.py

@@ -0,0 +1,97 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import pytest
+from flask import current_app
+from flask_appbuilder.exceptions import PasswordComplexityValidationError
+
+from superset.security.password_complexity import validate_password_complexity
+
+
+def test_validate_password_complexity_accepts_strong_password() -> None:
+    # No exception for a sufficiently long, uncommon password.
+    validate_password_complexity("a-Good-Long-Passphrase-42")
+
+
+def test_validate_password_complexity_rejects_short_password() -> None:
+    with pytest.raises(PasswordComplexityValidationError):
+        validate_password_complexity("short1")  # < 8 chars
+
+
+def test_validate_password_complexity_rejects_common_password() -> None:
+    # Common even though length >= 8.
+    with pytest.raises(PasswordComplexityValidationError):
+        validate_password_complexity("password123")
+    # Case-insensitive.
+    with pytest.raises(PasswordComplexityValidationError):
+        validate_password_complexity("PASSWORD123")
+
+
+def test_validate_password_complexity_honors_configured_min_length() -> None:
+    original = current_app.config.get("AUTH_PASSWORD_MIN_LENGTH")
+    current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = 16
+    try:
+        with pytest.raises(PasswordComplexityValidationError):
+            validate_password_complexity("only12chars!")  # 12 < 16
+    finally:
+        current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = original
+
+
+def test_validate_password_complexity_honors_extra_blocklist() -> None:
+    original = current_app.config.get("AUTH_PASSWORD_COMMON_BLOCKLIST")
+    current_app.config["AUTH_PASSWORD_COMMON_BLOCKLIST"] = ["AcmeCorp2024"]
+    try:
+        with pytest.raises(PasswordComplexityValidationError):
+            validate_password_complexity("acmecorp2024")
+    finally:
+        current_app.config["AUTH_PASSWORD_COMMON_BLOCKLIST"] = original
+
+
+def test_validate_password_complexity_coerces_string_min_length() -> None:
+    # Operators wiring config via env vars may pass min length as a string.
+    original = current_app.config.get("AUTH_PASSWORD_MIN_LENGTH")
+    current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = "16"  # noqa: S105
+    try:
+        with pytest.raises(PasswordComplexityValidationError):
+            validate_password_complexity("only12chars!")  # 12 < 16
+    finally:
+        current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = original
+
+
+def test_validate_password_complexity_tolerates_invalid_min_length() -> None:
+    # A non-numeric/None min length must not blow up; fall back to the default.
+    original = current_app.config.get("AUTH_PASSWORD_MIN_LENGTH")
+    current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = "not-a-number"  # noqa: S105
+    try:
+        validate_password_complexity("a-Good-Long-Passphrase-42")
+        with pytest.raises(PasswordComplexityValidationError):
+            validate_password_complexity("short1")  # < default 8
+    finally:
+        current_app.config["AUTH_PASSWORD_MIN_LENGTH"] = original
+
+
+def test_validate_password_complexity_blocklist_string_not_split() -> None:
+    # A misconfigured string blocklist must be treated as one entry, not chars.
+    original = current_app.config.get("AUTH_PASSWORD_COMMON_BLOCKLIST")
+    current_app.config["AUTH_PASSWORD_COMMON_BLOCKLIST"] = "AcmeCorp2024"  # noqa: S105
+    try:
+        with pytest.raises(PasswordComplexityValidationError):
+            validate_password_complexity("acmecorp2024")
+        # A single character from the string must NOT become blocked.
+        validate_password_complexity("a-Good-Long-Passphrase-42")
+    finally:
+        current_app.config["AUTH_PASSWORD_COMMON_BLOCKLIST"] = original