mirror of
https://github.com/apache/superset.git
synced 2026-06-12 02:59:27 +00:00
5efd69d77d
SupersetSecurityManager did not enforce any password policy, so DB-auth self-registration / password changes accepted trivially short or common passwords (ASVS 6.2.1 / 6.2.4, CWE-521). Add superset.security.password_complexity.validate_password_complexity (minimum length via AUTH_PASSWORD_MIN_LENGTH, default 8, plus a common-password blocklist extendable via AUTH_PASSWORD_COMMON_BLOCKLIST), and wire it through Flask-AppBuilder's FAB_PASSWORD_COMPLEXITY_ENABLED / _VALIDATOR. FAB runs this callable from both the WTForms password fields (self-registration, user edit, reset password) and the User REST API, so one function covers all password-setting flows. The policy is intentionally less draconian than FAB's built-in default_password_complexity. DRAFT: enabling the policy by default changes registration / password-change behavior (short or common passwords are now rejected) and any API-driven user provisioning that used weak passwords. Needs validation of the end-to-end flows before merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>