dolevf opened a new pull request #16885: URL: https://github.com/apache/airflow/pull/16885
The default `docker-compose.yaml` file exposes Redis to the host by specifying port mapping of `6379:6379`. Since Redis is unauthenticated by default and runs as root, this poses a risk and will likely be overlooked by users deploying Airflow using docker compose in VPSes or other instances that are publicly facing, even though it's not meant for production use. I could not find a reason to have Redis be accessible through the host, so I'm proposing to restrict this port from being accessible via the hypervisor. Redis can be made to write files into the file system using techniques such as [CONFIG SET](https://redis.io/commands/config-set), on a VPS, this will result in a system compromise by a bot within a few hours if not minutes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
