You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2020/12/03 00:10:28 UTC

[airflow] 27/34: [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (#3729)

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 28d18c4deb42a20e08793765f7b298844c93cc94
Author: Xiaodong <xd...@hotmail.com>
AuthorDate: Fri Aug 10 18:30:41 2018 +0800

    [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (#3729)
    
    The same issue was fixed for /www previously in
    PR https://github.com/apache/incubator-airflow/pull/3651
    (JIRA ticket 2809)
    
    (cherry picked from commit fe6d00a54f83468e296777d3b83b65a2ae7169ec)
---
 airflow/config_templates/config.yml          | 3 ++-
 airflow/config_templates/default_airflow.cfg | 3 ++-
 airflow/www_rbac/app.py                      | 6 ++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 87ee928..7f0f714 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -737,7 +737,8 @@
     - name: secret_key
       description: |
         Secret key used to run your flask app
-        It should be as random as possible
+        If default value is given ("temporary_key"), a random secret_key will be generated
+        when you launch your webserver for security reason
       version_added: ~
       type: string
       example: ~
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 662fd00..765b1ce 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -362,7 +362,8 @@ worker_refresh_interval = 30
 reload_on_plugin_change = False
 
 # Secret key used to run your flask app
-# It should be as random as possible
+# If default value is given ("temporary_key"), a random secret_key will be generated
+# when you launch your webserver for security reason
 secret_key = temporary_key
 
 # Number of workers to run the Gunicorn web server
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index a2ebf7b..2e653a2 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -19,6 +19,7 @@
 #
 import logging
 import socket
+import os
 from datetime import timedelta
 from typing import Any
 
@@ -63,6 +64,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
 
+    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+
     app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
     app.config['APP_NAME'] = app_name