airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Davydov (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AIRFLOW-1584) Remove the insecure /headers endpoints
Date Fri, 08 Sep 2017 22:38:00 GMT
Dan Davydov created AIRFLOW-1584:
------------------------------------

             Summary: Remove the insecure /headers endpoints
                 Key: AIRFLOW-1584
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1584
             Project: Apache Airflow
          Issue Type: Bug
          Components: webserver
            Reporter: Dan Davydov
            Assignee: Dan Davydov


Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie,
granting the attacker access to any other InternalAuth-gated application on Airbnb's network.

Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers

Description: The endpoint listed in the Target section returns the headers sent by the user's
browser, including the Cookie header. Since this endpoint can be called by JavaScript on the
Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the
auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal
the auth_proxy cookie and use it to authenticate to other InternalAuth services.

This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
$.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})

Remediation: Disable this endpoint entirely. If some of the headers are important they can
be added to the gunicorn request log format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message