Garrett Summers created AIRFLOW-2283: ----------------------------------------
Summary: Multi-Tenant security vulnerability Key: AIRFLOW-2283 URL: https://issues.apache.org/jira/browse/AIRFLOW-2283 Project: Apache Airflow Issue Type: Bug Components: models, scheduler, security, webserver Affects Versions: Airflow 1.8 Environment: Any/All Reporter: Garrett Summers We noticed what we think to be a potential security vulnerability when importing dag files in the following line: {{m = imp.load_source(mod_name, filepath)}} This line in the DagBag.process_file code imports the dag files available, but this causes all of the code in the file to actually execute (which could be any arbitrary code). If the dags for different tenants are being stored in a common dag structure (even though the are filtered for the different tenants) then the arbitrary code execution would make it possible for one tenant to access/modify the dags of other tenants. This would be a major problem for users who utilize the multi-tenant functionality in Airflow. -- This message was sent by Atlassian JIRA (v7.6.3#76005)