[
https://issues.apache.org/jira/browse/AIRFLOW-4186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16804786#comment-16804786
]
Ash Berlin-Taylor commented on AIRFLOW-4186:
--------------------------------------------
Also:
{quote}An attacker who is able to intercept and modify client HTTP requests
{quote}
If someone can intercept HTTP requests then they can do _litterally anything_
to the request or response. Under that scenario there is zero that Airflow can
do. They could just redirect directly to a malicious host without ever hitting
the airflow server.
> [security] ui - Application is vulnerable to redirection attacks
> ----------------------------------------------------------------
>
> Key: AIRFLOW-4186
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4186
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: t oo
> Priority: Major
>
> |Issue Details|
> |The Web server uses user-controlled input data to construct a redirection
> URL when the "X-Forwarded-Host" header is added to a request. This header is
> not added by default by the application, but causes a redirect to be
> performed when provided by a user.|
> | | | | | |
> |The application's "X-Forwarded-Host" header is included with the site
> google.com, causing the application to respond with a 302 redirect to that
> location.|
> |The application successfully redirects to the specified website.|
> |Business Impact/Attack Scenario| | | |
> |An attacker who is able to intercept and modify client HTTP requests before
> reaching the application server could redirect the clients to a malicious
> host.|
> |Recommendation| | | | |
> |Use the server’s name as the redirection destination where possible, or
> validate header values against a known whitelist.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
