You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by pi...@apache.org on 2023/03/06 21:47:21 UTC
[airflow] 37/37: Sanitize url_for arguments before they are passed (#29039)
This is an automated email from the ASF dual-hosted git repository.
pierrejeambrun pushed a commit to branch v2-5-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 2ec4d063b663cef85dc51ea422dae8904dca66d3
Author: Jarek Potiuk <ja...@potiuk.com>
AuthorDate: Thu Jan 19 16:37:47 2023 +0100
Sanitize url_for arguments before they are passed (#29039)
The url_for of flask has special arguments that start with `_` and we
should sanitize the ones that come with the request before passing them.
(cherry picked from commit 7f2b065ccd01071cff8f298b944d81f3ff3384b5)
---
airflow/www/views.py | 34 ++++++++++++++++++++++------------
1 file changed, 22 insertions(+), 12 deletions(-)
diff --git a/airflow/www/views.py b/airflow/www/views.py
index 85e4f710cb..33d3997994 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -154,6 +154,16 @@ def truncate_task_duration(task_duration):
return int(task_duration) if task_duration > 10.0 else round(task_duration, 3)
+def sanitize_args(args: dict[str, str]) -> dict[str, str]:
+ """
+ Remove all parameters starting with `_`
+
+ :param args: arguments of request
+ :return: copy of the dictionary passed as input with args starting with `_` removed.
+ """
+ return {key: value for key, value in args.items() if not key.startswith("_")}
+
+
def get_safe_url(url):
"""Given a user-supplied URL, ensure it points to our web server"""
if not url:
@@ -1099,7 +1109,7 @@ class Airflow(AirflowBaseView):
)
def legacy_code(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.code", **request.args))
+ return redirect(url_for("Airflow.code", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/code")
@auth.has_access(
@@ -1146,7 +1156,7 @@ class Airflow(AirflowBaseView):
)
def legacy_dag_details(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.dag_details", **request.args))
+ return redirect(url_for("Airflow.dag_details", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/details")
@auth.has_access(
@@ -2538,7 +2548,7 @@ class Airflow(AirflowBaseView):
@action_logging
def dag(self, dag_id):
"""Redirect to default DAG view."""
- kwargs = {**request.args, "dag_id": dag_id}
+ kwargs = {**sanitize_args(request.args), "dag_id": dag_id}
return redirect(url_for("Airflow.grid", **kwargs))
@expose("/legacy_tree")
@@ -2553,7 +2563,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_tree(self):
"""Redirect to the replacement - grid view."""
- return redirect(url_for("Airflow.grid", **request.args))
+ return redirect(url_for("Airflow.grid", **sanitize_args(request.args)))
@expose("/tree")
@auth.has_access(
@@ -2567,7 +2577,7 @@ class Airflow(AirflowBaseView):
@action_logging
def tree(self):
"""Redirect to the replacement - grid view. Kept for backwards compatibility."""
- return redirect(url_for("Airflow.grid", **request.args))
+ return redirect(url_for("Airflow.grid", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/grid")
@auth.has_access(
@@ -2646,7 +2656,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_calendar(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.calendar", **request.args))
+ return redirect(url_for("Airflow.calendar", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/calendar")
@auth.has_access(
@@ -2787,7 +2797,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_graph(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.graph", **request.args))
+ return redirect(url_for("Airflow.graph", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/graph")
@auth.has_access(
@@ -2904,7 +2914,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_duration(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.duration", **request.args))
+ return redirect(url_for("Airflow.duration", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/duration")
@auth.has_access(
@@ -3065,7 +3075,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_tries(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.tries", **request.args))
+ return redirect(url_for("Airflow.tries", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/tries")
@auth.has_access(
@@ -3160,7 +3170,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_landing_times(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.landing_times", **request.args))
+ return redirect(url_for("Airflow.landing_times", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/landing-times")
@auth.has_access(
@@ -3282,7 +3292,7 @@ class Airflow(AirflowBaseView):
@action_logging
def legacy_gantt(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.gantt", **request.args))
+ return redirect(url_for("Airflow.gantt", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/gantt")
@auth.has_access(
@@ -3730,7 +3740,7 @@ class Airflow(AirflowBaseView):
)
def legacy_audit_log(self):
"""Redirect from url param."""
- return redirect(url_for("Airflow.audit_log", **request.args))
+ return redirect(url_for("Airflow.audit_log", **sanitize_args(request.args)))
@expose("/dags/<string:dag_id>/audit_log")
@auth.has_access(