[
https://issues.apache.org/jira/browse/AIRFLOW-4186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ash Berlin-Taylor resolved AIRFLOW-4186.
----------------------------------------
Resolution: Not A Bug
{quote}An attacker who is able to intercept and modify client HTTP requests
before reaching the application server could redirect the clients to a
malicious host.
{quote}
If someone can intercept your HTTP traffic ALL BETS ARE OFF. They could just
re-write the 302 response no matter what we send.
Use https.
> [security] ui - Application is vulnerable to redirection attacks
> ----------------------------------------------------------------
>
> Key: AIRFLOW-4186
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4186
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: t oo
> Priority: Major
>
> |Issue Details|
> |The Web server uses user-controlled input data to construct a redirection
> URL when the "X-Forwarded-Host" header is added to a request. This header is
> not added by default by the application, but causes a redirect to be
> performed when provided by a user.|
> | | | | | |
> |The application's "X-Forwarded-Host" header is included with the site
> google.com, causing the application to respond with a 302 redirect to that
> location.|
> |The application successfully redirects to the specified website.|
> |Business Impact/Attack Scenario| | | |
> |An attacker who is able to intercept and modify client HTTP requests before
> reaching the application server could redirect the clients to a malicious
> host.|
> |Recommendation| | | | |
> |Use the server’s name as the redirection destination where possible, or
> validate header values against a known whitelist.|
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
