This is an automated email from the ASF dual-hosted git repository. kaxilnaik pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 39eb734abc62a211badc1fe459be57398a3db399 Author: Xiaodong <[email protected]> AuthorDate: Fri Aug 10 18:30:41 2018 +0800 [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (#3729) The same issue was fixed for /www previously in PR https://github.com/apache/incubator-airflow/pull/3651 (JIRA ticket 2809) (cherry picked from commit fe6d00a54f83468e296777d3b83b65a2ae7169ec) --- airflow/config_templates/config.yml | 3 ++- airflow/config_templates/default_airflow.cfg | 3 ++- airflow/www_rbac/app.py | 6 ++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 87ee928..7f0f714 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -737,7 +737,8 @@ - name: secret_key description: | Secret key used to run your flask app - It should be as random as possible + If default value is given ("temporary_key"), a random secret_key will be generated + when you launch your webserver for security reason version_added: ~ type: string example: ~ diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 662fd00..765b1ce 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -362,7 +362,8 @@ worker_refresh_interval = 30 reload_on_plugin_change = False # Secret key used to run your flask app -# It should be as random as possible +# If default value is given ("temporary_key"), a random secret_key will be generated +# when you launch your webserver for security reason secret_key = temporary_key # Number of workers to run the Gunicorn web server diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index a2ebf7b..2e653a2 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -19,6 +19,7 @@ # import logging import socket +import os from datetime import timedelta from typing import Any @@ -63,6 +64,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config()) + if conf.get('webserver', 'SECRET_KEY') == "temporary_key": + app.secret_key = os.urandom(16) + else: + app.secret_key = conf.get('webserver', 'SECRET_KEY') + app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True) app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False app.config['APP_NAME'] = app_name
