airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-1584) Remove the insecure /headers endpoints
Date Mon, 11 Sep 2017 11:13:00 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161086#comment-16161086
] 

ASF subversion and git services commented on AIRFLOW-1584:
----------------------------------------------------------

Commit 17ac070b29bbf6ef80f3d7382d524d694464f498 in incubator-airflow's branch refs/heads/master
from [~aoen]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=17ac070 ]

[AIRFLOW-1584] Remove insecure /headers endpoint

Closes #2588 from aoen/ddavydov--
remove_headers_endpoint


> Remove the insecure /headers endpoints
> --------------------------------------
>
>                 Key: AIRFLOW-1584
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-1584
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: webserver
>            Reporter: Dan Davydov
>            Assignee: Dan Davydov
>             Fix For: 1.9.0
>
>
> Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie,
granting the attacker access to any other InternalAuth-gated application on Airbnb's network.
> Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or
https://airflow-precious.d.musta.ch/admin/airflow/headers
> Description: The endpoint listed in the Target section returns the headers sent by the
user's browser, including the Cookie header. Since this endpoint can be called by JavaScript
on the Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive
that the auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript
can steal the auth_proxy cookie and use it to authenticate to other InternalAuth services.
> This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
> {code:java}
> $.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
> {code}
> Remediation: Disable this endpoint entirely. If some of the headers are important they
can be added to the gunicorn request log format.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message