Garrett Summers created AIRFLOW-2283:
----------------------------------------
Summary: Multi-Tenant security vulnerability
Key: AIRFLOW-2283
URL: https://issues.apache.org/jira/browse/AIRFLOW-2283
Project: Apache Airflow
Issue Type: Bug
Components: models, scheduler, security, webserver
Affects Versions: Airflow 1.8
Environment: Any/All
Reporter: Garrett Summers
We noticed what we think to be a potential security vulnerability when
importing dag files in the following line:
{{m = imp.load_source(mod_name, filepath)}}
This line in the DagBag.process_file code imports the dag files available, but
this causes all of the code in the file to actually execute (which could be any
arbitrary code). If the dags for different tenants are being stored in a common
dag structure (even though the are filtered for the different tenants) then the
arbitrary code execution would make it possible for one tenant to access/modify
the dags of other tenants. This would be a major problem for users who utilize
the multi-tenant functionality in Airflow.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
