[jira] [Created] (AIRFLOW-4065) misc security fixes

t oo (JIRA) Mon, 11 Mar 2019 05:06:01 -0700

t oo created AIRFLOW-4065:
-----------------------------

             Summary: misc security fixes
                 Key: AIRFLOW-4065
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4065
             Project: Apache Airflow
          Issue Type: Bug
          Components: security
    Affects Versions: 1.10.2
            Reporter: t oo



1.

www/app.py Add Click jacking defence

 

Fix:

at the end of     

def create_app(config=None, testing=False):

@app.after_request
 def apply_caching(response):
 response.headers["X-Frame-Options"] = "DENY"
 return response

 

2.

www/app.py Add WebUI login timeout of 15 minutes

 

Fix:

at the end of     

def create_app(config=None, testing=False):

@app.before_request
 def before_request():
 flask.session.permanent = True
 app.permanent_session_lifetime = datetime.timedelta(minutes=15)
 flask.session.modified = True
 flask.g.user = flask_login.current_user

 

3.

www/views.py Add Cross Site Scripting defence

*BEFORE*

return self.render(
 'airflow/dags.html',
 webserver_dags=webserver_dags_filtered,
 orm_dags=orm_dags,
 hide_paused=hide_paused,
 current_page=current_page,
 search_query=arg_search_query if arg_search_query else '',
 page_size=dags_per_page,
 num_of_pages=num_of_pages,
 num_dag_from=start + 1,
 num_dag_to=min(end, num_of_all_dags),
 num_of_all_dags=num_of_all_dags,
 paging=wwwutils.generate_pages(current_page, num_of_pages,
 search=arg_search_query,
 showPaused=not hide_paused),
 dag_ids_in_page=page_dag_ids,
 auto_complete_data=auto_complete_data)

 

*AFTER*

return self.render(
 'airflow/dags.html',
 webserver_dags=webserver_dags_filtered,
 orm_dags=orm_dags,
 hide_paused=hide_paused,
 current_page=current_page,
 search_query=arg_search_query if arg_search_query else '',
 page_size=dags_per_page,
 num_of_pages=num_of_pages,
 num_dag_from=start + 1,
 num_dag_to=min(end, num_of_all_dags),
 num_of_all_dags=num_of_all_dags,
 paging=wwwutils.generate_pages(current_page, num_of_pages,
 search=escape(arg_search_query) if arg_search_query else None,
 showPaused=not hide_paused),
 dag_ids_in_page=page_dag_ids,
 auto_complete_data=auto_complete_data)

 

4.

contrib/hooks/spark_submit_hook.py Poll spark server at a custom interval 
instead of every second

 

*BEFORE*

# Sleep for 1 second as we do not want to spam the cluster
 time.sleep(1)

 

*AFTER*

import airflow
from airflow import configuration as conf

Sleep for n second as we do not want to spam the cluster
 _poll_interval = conf.getint('sparksubmit', 'poll_interval')
 time.sleep(_poll_interval)

 

5. DOCO only. Securing connection to mysql backend metastore.

At the end of sql_alchemy_conn line in airflow.cfg add    
?ssl_ca=<PEMCERTFORMYSQL.pem>



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (AIRFLOW-4065) misc security fixes

Reply via email to