You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by ar...@apache.org on 2017/03/14 18:38:58 UTC

[1/2] incubator-airflow git commit: [AIRFLOW-933] Replace eval with literal_eval to prevent RCE

Repository: incubator-airflow
Updated Branches:
  refs/heads/master ed03bb719 -> c44e2009e


[AIRFLOW-933] Replace eval with literal_eval to prevent RCE

Replace eval with a literal eval to help prevent arbitrary code
execution on the webserver host.


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/2bf52ab1
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/2bf52ab1
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/2bf52ab1

Branch: refs/heads/master
Commit: 2bf52ab16960f00cb9a98ba455d5851aabf6305f
Parents: ed03bb7
Author: Arthur Wiedmer <ar...@gmail.com>
Authored: Tue Mar 14 10:40:23 2017 -0700
Committer: Arthur Wiedmer <ar...@gmail.com>
Committed: Tue Mar 14 10:40:23 2017 -0700

----------------------------------------------------------------------
 airflow/www/views.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/2bf52ab1/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index de33843..15735b4 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -15,6 +15,7 @@
 
 from past.builtins import basestring, unicode
 
+import ast
 import os
 import pkg_resources
 import socket
@@ -44,7 +45,6 @@ from flask._compat import PY2
 import jinja2
 import markdown
 import nvd3
-import ast
 
 from wtforms import (
     Form, SelectField, TextAreaField, PasswordField, StringField, validators)
@@ -231,8 +231,8 @@ def data_profiling_required(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
         if (
-                    current_app.config['LOGIN_DISABLED'] or
-                    (not current_user.is_anonymous() and current_user.data_profiling())
+            current_app.config['LOGIN_DISABLED'] or
+            (not current_user.is_anonymous() and current_user.data_profiling())
         ):
             return f(*args, **kwargs)
         else:
@@ -312,7 +312,7 @@ class Airflow(BaseView):
 
         # Processing templated fields
         try:
-            args = eval(chart.default_params)
+            args = ast.literal_eval(chart.default_params)
             if type(args) is not type(dict()):
                 raise AirflowException('Not a dict')
         except:

[2/2] incubator-airflow git commit: Merge pull request #2150 from artwr/artwr-fix_another_use_of_eval

Posted by ar...@apache.org.

Merge pull request #2150 from artwr/artwr-fix_another_use_of_eval


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/c44e2009
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/c44e2009
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/c44e2009

Branch: refs/heads/master
Commit: c44e2009ee625ce4a82c50e585a3c8617d9b4ff8
Parents: ed03bb7 2bf52ab
Author: Arthur Wiedmer <ar...@gmail.com>
Authored: Tue Mar 14 11:39:45 2017 -0700
Committer: Arthur Wiedmer <ar...@gmail.com>
Committed: Tue Mar 14 11:39:45 2017 -0700

----------------------------------------------------------------------
 airflow/www/views.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------