[GitHub] kaxil closed pull request #3729: [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac

Fri, 10 Aug 2018 03:30:52 -0700 

kaxil closed pull request #3729: [AIRFLOW-2884] Fix Flask SECRET_KEY security 
issue in www_rbac
URL: https://github.com/apache/incubator-airflow/pull/3729
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/airflow/config_templates/default_airflow.cfg 
b/airflow/config_templates/default_airflow.cfg
index 9d240b8323..b957d41355 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -250,6 +250,8 @@ worker_refresh_batch_size = 1
 worker_refresh_interval = 30
 
 # Secret key used to run your flask app
+# If default value is given ("temporary_key"), a random secret_key will be 
generated
+# when you launch your webserver for security reason
 secret_key = temporary_key
 
 # Number of workers to run the Gunicorn web server
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index 92e5c73881..8d3400a668 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -19,6 +19,7 @@
 #
 import socket
 import six
+import os
 
 from flask import Flask
 from flask_appbuilder import AppBuilder, SQLA
@@ -42,7 +43,10 @@ def create_app(config=None, session=None, testing=False, 
app_name="Airflow"):
     global app, appbuilder
     app = Flask(__name__)
     app.wsgi_app = ProxyFix(app.wsgi_app)
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     airflow_home_path = conf.get('core', 'AIRFLOW_HOME')
     webserver_config_path = airflow_home_path + '/webserver_config.py'


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to