kaxil closed pull request #3729: [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac URL: https://github.com/apache/incubator-airflow/pull/3729
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 9d240b8323..b957d41355 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -250,6 +250,8 @@ worker_refresh_batch_size = 1 worker_refresh_interval = 30 # Secret key used to run your flask app +# If default value is given ("temporary_key"), a random secret_key will be generated +# when you launch your webserver for security reason secret_key = temporary_key # Number of workers to run the Gunicorn web server diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 92e5c73881..8d3400a668 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -19,6 +19,7 @@ # import socket import six +import os from flask import Flask from flask_appbuilder import AppBuilder, SQLA @@ -42,7 +43,10 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): global app, appbuilder app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app) - app.secret_key = conf.get('webserver', 'SECRET_KEY') + if conf.get('webserver', 'SECRET_KEY') == "temporary_key": + app.secret_key = os.urandom(16) + else: + app.secret_key = conf.get('webserver', 'SECRET_KEY') airflow_home_path = conf.get('core', 'AIRFLOW_HOME') webserver_config_path = airflow_home_path + '/webserver_config.py' ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services