Repository: incubator-airflow Updated Branches: refs/heads/master fcd51f362 -> dfa7b26dd
[AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY It's recommended by Falsk community to use random SECRET_KEY for security reason. However, in Airflow there is a default value for secret_key and most users will ignore to change it. This may cause security concern. Closes #3651 from XD-DENG/patch-2 Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/dfa7b26d Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/dfa7b26d Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/dfa7b26d Branch: refs/heads/master Commit: dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6 Parents: fcd51f3 Author: XD-DENG <xd_d...@hotmail.com> Authored: Sun Jul 29 11:57:46 2018 +0200 Committer: Fokko Driesprong <fokkodriespr...@godatadriven.com> Committed: Sun Jul 29 11:57:46 2018 +0200 ---------------------------------------------------------------------- airflow/www/app.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/dfa7b26d/airflow/www/app.py ---------------------------------------------------------------------- diff --git a/airflow/www/app.py b/airflow/www/app.py index 6eea5d2..319fe11 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -18,6 +18,7 @@ # under the License. # import six +import os from flask import Flask from flask_admin import Admin, base @@ -43,9 +44,18 @@ csrf = CSRFProtect() def create_app(config=None, testing=False): + + log = LoggingMixin().log + app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app) - app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') + + if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key": + log.info("SECRET_KEY for Flask App is not specified. Using a random one.") + app.secret_key = os.urandom(16) + else: + app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') + app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean( 'webserver', 'AUTHENTICATE') @@ -127,7 +137,6 @@ def create_app(config=None, testing=False): def integrate_plugins(): """Integrate plugins to the context""" - log = LoggingMixin().log from airflow.plugins_manager import ( admin_views, flask_blueprints, menu_links) for v in admin_views: