Return-Path: <dev-return-895-archive-asf-public=cust-asf.ponee.io@airflow.incubator.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 30C1E200B78
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 19 Aug 2016 07:53:47 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 2F664160AB7; Fri, 19 Aug 2016 05:53:47 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 74CEC160AAE
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 19 Aug 2016 07:53:46 +0200 (CEST)
Received: (qmail 78300 invoked by uid 500); 19 Aug 2016 05:53:45 -0000
Mailing-List: contact dev-help@airflow.incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@airflow.incubator.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@airflow.incubator.apache.org>
List-Post: <mailto:dev@airflow.incubator.apache.org>
List-Id: <dev.airflow.incubator.apache.org>
Reply-To: dev@airflow.incubator.apache.org
Delivered-To: mailing list dev@airflow.incubator.apache.org
Received: (qmail 78288 invoked by uid 99); 19 Aug 2016 05:53:45 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Aug 2016 05:53:45 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E86F5180502
	for <dev@airflow.apache.org>; Fri, 19 Aug 2016 05:53:44 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.198
X-Spam-Level: *
X-Spam-Status: No, score=1.198 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001,
	SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx2-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id PfjGYi2Kd4K4 for <dev@airflow.apache.org>;
	Fri, 19 Aug 2016 05:53:42 +0000 (UTC)
Received: from mail-io0-f172.google.com (mail-io0-f172.google.com [209.85.223.172])
	by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id A85B75FB37
	for <dev@airflow.incubator.apache.org>; Fri, 19 Aug 2016 05:53:41 +0000 (UTC)
Received: by mail-io0-f172.google.com with SMTP id q83so39606966iod.1
        for <dev@airflow.incubator.apache.org>; Thu, 18 Aug 2016 22:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=HW3d2iLyo+HnyDXjPEaNJ9K/rZQEr9KghaQYwfN5K1U=;
        b=yFpOK6T0LgOhNXIACW+oqKusEw286LC+82SkMAvJrP0uW3vh44OsT0OQuqBcAjDxXO
         /TxLcC39zEjx0Uuq5uBgMqtnNU+Y/bi/71VyjpiXjMZxpaKlC04lp+5KlGZVIyFYbYAT
         cXyKIFU4JVP/knlggzIUx21KyVvmHzbI1ZpwDhaS2uCqhDTt5n0z8FxmOu5kXxiYNV6Q
         d8G0KOeg0FF2kK1top5kEGfXAXOgTDRt8yFb7JeNY/uT6PFD4Y8tHxRW/EIAKcWtEyX4
         tchbIayTtYSwMNBu6d8Rp4eOBAqe2VrN3/3t0+wsvy3aFco+1MlkkNNA4iheX+TO/XMI
         8oMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=HW3d2iLyo+HnyDXjPEaNJ9K/rZQEr9KghaQYwfN5K1U=;
        b=RDh9l5ByUGMgOgOSALos12vaSGg7nuWVlXoPUjzWESCYvF13iHHiq0vDacJLiAlcSx
         qOno69w8kpWmY/LPaGK70L3e+b038wlk0148MILMwuZICKm8y6iBWz+3QR2WIjgVmhSU
         q2yLv9mn+bfKk9sw+MFq13rRzEGwIR1dg1zn7ydNEZ+QeB48MUJ3IJsnLEouh2s9UzSZ
         44Co0KnicAwiAW9mv68mNdcgvH/MayuXULqIkD1tKGpGRMyLEFuroejvjG7SSuGw+DfM
         ymWyMaisQHuE4saK742IJZg79SGU/LnOEKM8SvmHK3SHwgNnHpyW6IlvyIdORa7eUnfK
         JXcg==
X-Gm-Message-State: AEkoouu3tJgwNPDPfriCd5J7HBBh2EGK2egovBzAISgDGFAD/9/ZEcu/c5qWIGk+rlFPI93C2A/CmMuw4pSPCA==
X-Received: by 10.107.55.70 with SMTP id e67mr7805419ioa.51.1471586020672;
 Thu, 18 Aug 2016 22:53:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.137.193 with HTTP; Thu, 18 Aug 2016 22:53:40 -0700 (PDT)
In-Reply-To: <CAN4Q8dCr6b2HpMy3tYZyU=g626FAOohF0PeZpL=oHXn1_tgf=A@mail.gmail.com>
References: <CAN4Q8dCr6b2HpMy3tYZyU=g626FAOohF0PeZpL=oHXn1_tgf=A@mail.gmail.com>
From: Maxime Beauchemin <maximebeauchemin@gmail.com>
Date: Thu, 18 Aug 2016 22:53:40 -0700
Message-ID: <CAHEEp7XopwQ7anAskQgYOL62a8JXQ_Qjva5GeH7Gj5jfLKZZfg@mail.gmail.com>
Subject: Fwd: Possible security bug in incubator-airflow OAuth GitHub
 Enterprise auth
To: dev@airflow.incubator.apache.org
Cc: patrick.toomey@github.com
Content-Type: multipart/alternative; boundary=001a114a6d7604c98f053a665290
archived-at: Fri, 19 Aug 2016 05:53:47 -0000

--001a114a6d7604c98f053a665290
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Anyone on this mailing list using GH authentication in Airflow? I received
an email from GH security about a concern about our integration (bellow).

I commented on the original commit and tagged the author and someone else
who touched the file here:
https://github.com/apache/incubator-airflow/commit/4796245be517aed06df21a85=
c93a2b86a7f31939

I'd love if someone using GH authentication could take the lead on this.

Thanks,

Max

---------- Forwarded message ----------
From: Patrick Toomey <@github.com>
Date: Wed, Aug 17, 2016 at 8:25 AM
Subject: Possible security bug in incubator-airflow OAuth GitHub Enterprise
auth
To: max


Hi,
  I am a member of the GitHub application security team and  happened to
recently run across https://github.com/apache/incubator-airflow, as someone
was looking at using it internally. While they were pulling together a
proof of concept, I noticed that they had included the
=E2=80=9Cgithub_enterprise_auth.py=E2=80=9D file. While browsing through th=
is file I
noticed something that stuck out. In particular, this line looks like it
could be a security issue: https://github.com/apache/incubator-airflow/blob=
/
821bdb5310c6c21cd9c0b9d0797873ff6114179d/airflow/contrib/
auth/backends/github_enterprise_auth.py#L159.  That lines appears to look
for a response from the =E2=80=9Cuser teams=E2=80=9D API for a team slug th=
at matches one
from the =E2=80=9Callowed_teams=E2=80=9D configuration option. However, thi=
s slug is just a
string, and doesn=E2=80=99t convey any information about a specific team. F=
or
example, an enterprise instance might create an organization =E2=80=9CAcme=
=E2=80=9D and
also create a team in this organization called =E2=80=9Cdesigners=E2=80=9D.=
 But, there
could also be another organization on that same Enterprise instance,
=E2=80=9CEvil=E2=80=9D, that also creates a team called =E2=80=9Cdesigners=
=E2=80=9D. I haven=E2=80=99t spun up a
working instance of this integration, so my apologies if I missed some
other bit of logic that would prevent this kind of attack. But, in general,
when you do this kind of validation, it is better to use an identifier that
is guaranteed to be globally unique across the GitHub instance. In the case
of a GitHub Enterprise instance, that would likely be the ID of the team,
which is also returned by the same API: https://developer.github.
com/v3/orgs/teams/#list-user-teams.

Thanks,
Patrick

--001a114a6d7604c98f053a665290--