Garrett Summers created AIRFLOW-2283:

             Summary: Multi-Tenant security vulnerability
                 Key: AIRFLOW-2283
             Project: Apache Airflow
          Issue Type: Bug
          Components: models, scheduler, security, webserver
    Affects Versions: Airflow 1.8
         Environment: Any/All
            Reporter: Garrett Summers

We noticed what we think to be a potential security vulnerability when 
importing dag files in the following line:

{{m = imp.load_source(mod_name, filepath)}}

This line in the DagBag.process_file code imports the dag files available, but 
this causes all of the code in the file to actually execute (which could be any 
arbitrary code). If the dags for different tenants are being stored in a common 
dag structure (even though the are filtered for the different tenants) then the 
arbitrary code execution would make it possible for one tenant to access/modify 
the dags of other tenants. This would be a major problem for users who utilize 
the multi-tenant functionality in Airflow.

This message was sent by Atlassian JIRA

Reply via email to