airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Davydov (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AIRFLOW-1584) Remove the insecure /headers endpoints
Date Fri, 08 Sep 2017 22:45:00 GMT

     [ https://issues.apache.org/jira/browse/AIRFLOW-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dan Davydov updated AIRFLOW-1584:
---------------------------------
    Description: 
Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie,
granting the attacker access to any other InternalAuth-gated application on Airbnb's network.

Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers

Description: The endpoint listed in the Target section returns the headers sent by the user's
browser, including the Cookie header. Since this endpoint can be called by JavaScript on the
Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the
auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal
the auth_proxy cookie and use it to authenticate to other InternalAuth services.


This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
{code:java}
$.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
{code}


Remediation: Disable this endpoint entirely. If some of the headers are important they can
be added to the gunicorn request log format.

  was:
Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie,
granting the attacker access to any other InternalAuth-gated application on Airbnb's network.

Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers

Description: The endpoint listed in the Target section returns the headers sent by the user's
browser, including the Cookie header. Since this endpoint can be called by JavaScript on the
Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the
auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal
the auth_proxy cookie and use it to authenticate to other InternalAuth services.


{code:java}
This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
$.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
{code}


Remediation: Disable this endpoint entirely. If some of the headers are important they can
be added to the gunicorn request log format.


> Remove the insecure /headers endpoints
> --------------------------------------
>
>                 Key: AIRFLOW-1584
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1584
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: webserver
>            Reporter: Dan Davydov
>            Assignee: Dan Davydov
>
> Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie,
granting the attacker access to any other InternalAuth-gated application on Airbnb's network.
> Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or
https://airflow-precious.d.musta.ch/admin/airflow/headers
> Description: The endpoint listed in the Target section returns the headers sent by the
user's browser, including the Cookie header. Since this endpoint can be called by JavaScript
on the Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive
that the auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript
can steal the auth_proxy cookie and use it to authenticate to other InternalAuth services.
> This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
> {code:java}
> $.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
> {code}
> Remediation: Disable this endpoint entirely. If some of the headers are important they
can be added to the gunicorn request log format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message