This is an automated email from the ASF dual-hosted git repository. pierrejeambrun pushed a commit to branch v2-5-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 2ec4d063b663cef85dc51ea422dae8904dca66d3 Author: Jarek Potiuk <[email protected]> AuthorDate: Thu Jan 19 16:37:47 2023 +0100 Sanitize url_for arguments before they are passed (#29039) The url_for of flask has special arguments that start with `_` and we should sanitize the ones that come with the request before passing them. (cherry picked from commit 7f2b065ccd01071cff8f298b944d81f3ff3384b5) --- airflow/www/views.py | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/airflow/www/views.py b/airflow/www/views.py index 85e4f710cb..33d3997994 100644 --- a/airflow/www/views.py +++ b/airflow/www/views.py @@ -154,6 +154,16 @@ def truncate_task_duration(task_duration): return int(task_duration) if task_duration > 10.0 else round(task_duration, 3) +def sanitize_args(args: dict[str, str]) -> dict[str, str]: + """ + Remove all parameters starting with `_` + + :param args: arguments of request + :return: copy of the dictionary passed as input with args starting with `_` removed. + """ + return {key: value for key, value in args.items() if not key.startswith("_")} + + def get_safe_url(url): """Given a user-supplied URL, ensure it points to our web server""" if not url: @@ -1099,7 +1109,7 @@ class Airflow(AirflowBaseView): ) def legacy_code(self): """Redirect from url param.""" - return redirect(url_for("Airflow.code", **request.args)) + return redirect(url_for("Airflow.code", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/code") @auth.has_access( @@ -1146,7 +1156,7 @@ class Airflow(AirflowBaseView): ) def legacy_dag_details(self): """Redirect from url param.""" - return redirect(url_for("Airflow.dag_details", **request.args)) + return redirect(url_for("Airflow.dag_details", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/details") @auth.has_access( @@ -2538,7 +2548,7 @@ class Airflow(AirflowBaseView): @action_logging def dag(self, dag_id): """Redirect to default DAG view.""" - kwargs = {**request.args, "dag_id": dag_id} + kwargs = {**sanitize_args(request.args), "dag_id": dag_id} return redirect(url_for("Airflow.grid", **kwargs)) @expose("/legacy_tree") @@ -2553,7 +2563,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_tree(self): """Redirect to the replacement - grid view.""" - return redirect(url_for("Airflow.grid", **request.args)) + return redirect(url_for("Airflow.grid", **sanitize_args(request.args))) @expose("/tree") @auth.has_access( @@ -2567,7 +2577,7 @@ class Airflow(AirflowBaseView): @action_logging def tree(self): """Redirect to the replacement - grid view. Kept for backwards compatibility.""" - return redirect(url_for("Airflow.grid", **request.args)) + return redirect(url_for("Airflow.grid", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/grid") @auth.has_access( @@ -2646,7 +2656,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_calendar(self): """Redirect from url param.""" - return redirect(url_for("Airflow.calendar", **request.args)) + return redirect(url_for("Airflow.calendar", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/calendar") @auth.has_access( @@ -2787,7 +2797,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_graph(self): """Redirect from url param.""" - return redirect(url_for("Airflow.graph", **request.args)) + return redirect(url_for("Airflow.graph", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/graph") @auth.has_access( @@ -2904,7 +2914,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_duration(self): """Redirect from url param.""" - return redirect(url_for("Airflow.duration", **request.args)) + return redirect(url_for("Airflow.duration", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/duration") @auth.has_access( @@ -3065,7 +3075,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_tries(self): """Redirect from url param.""" - return redirect(url_for("Airflow.tries", **request.args)) + return redirect(url_for("Airflow.tries", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/tries") @auth.has_access( @@ -3160,7 +3170,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_landing_times(self): """Redirect from url param.""" - return redirect(url_for("Airflow.landing_times", **request.args)) + return redirect(url_for("Airflow.landing_times", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/landing-times") @auth.has_access( @@ -3282,7 +3292,7 @@ class Airflow(AirflowBaseView): @action_logging def legacy_gantt(self): """Redirect from url param.""" - return redirect(url_for("Airflow.gantt", **request.args)) + return redirect(url_for("Airflow.gantt", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/gantt") @auth.has_access( @@ -3730,7 +3740,7 @@ class Airflow(AirflowBaseView): ) def legacy_audit_log(self): """Redirect from url param.""" - return redirect(url_for("Airflow.audit_log", **request.args)) + return redirect(url_for("Airflow.audit_log", **sanitize_args(request.args))) @expose("/dags/<string:dag_id>/audit_log") @auth.has_access(
