[GitHub] [airflow] potiuk commented on a change in pull request #16754: Only allow webserver to request from the worker log server

Thu, 01 Jul 2021 05:56:06 -0700 


potiuk commented on a change in pull request #16754:
URL: https://github.com/apache/airflow/pull/16754#discussion_r662263042



##########
File path: airflow/utils/serve_logs.py
##########
@@ -17,25 +17,61 @@
 
 """Serve logs process"""
 import os
+import time
 
-import flask
+from flask import Flask, abort, request, send_from_directory
+from itsdangerous import TimedJSONWebSignatureSerializer
 from setproctitle import setproctitle
 
 from airflow.configuration import conf
 
 
-def serve_logs():
-    """Serves logs generated by Worker"""
-    print("Starting flask")
-    flask_app = flask.Flask(__name__)
-    setproctitle("airflow serve-logs")
+def flask_app():
+    flask_app = Flask(__name__)
+    max_request_age = conf.getint('webserver', 'log_request_clock_grace', 
fallback=30)
+    log_directory = os.path.expanduser(conf.get('logging', 'BASE_LOG_FOLDER'))
+
+    signer = TimedJSONWebSignatureSerializer(
+        secret_key=conf.get('webserver', 'secret_key'),
+        algorithm_name='HS512',
+        expires_in=max_request_age,
+    )
+
+    # Prevent direct access to the logs port
+    @flask_app.before_request
+    def validate_pre_signed_url():
+        try:
+            auth = request.headers['Authorization']
+
+            # We don't actually care about the payload, just that the signature

Review comment:
       It would be *slightly* safer to add the log path to the payload. With 
the current approach m-i-m could potentially grab an authorisation header from 
one request and retrieve as many different log entries as possible within 30 
seconds time window. Otherwise they could only intercept those logs that were 
specifically requested by the webserver. 
   
   It is very remote possibility - you'd have to be able to place yourself 
between the webserver and workers, but I think it should be rather easy to add  
as an extra protection. I think adding the log path as payload and verifying 
it, would be all that is needed.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to