You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/04/14 23:47:51 UTC
[GitHub] [airflow] mik-laj edited a comment on issue #8279: Protect
/rendered page from invalid DAG ids (#8171)
mik-laj edited a comment on issue #8279: Protect /rendered page from invalid DAG ids (#8171)
URL: https://github.com/apache/airflow/pull/8279#issuecomment-613732733
I open following page:
```
http://localhost:28080/rendered?dag_id=example_bash_operator&task_id=runme_0&execution_date=2020-04-13T00%3A00%3A00%2B00%3A00
```
I see the correct view.
I add one letter to the task ID.
```
http://localhost:28080/rendered?dag_id=example_bash_operator&task_id=runme_0D&execution_date=2020-04-13T00%3A00%3A00%2B00%3A00
```
I see a mushroom. This should not happen in a mature application. A clear error message should appear.
When I open following address:
```
http://localhost:28080/rendered?dag_id=example_bash_operator&task_id=runme_0&execution_date=2020-04-13T00%3A00%3A00%2B00%3A00DDDD
```
I also see mushroom.
This is a user-experience problem, but it is also a security problem. If we see similar messages, it means that we haven't verified enough input data. Data validation is the basic method of protecting against other serious attacks from the "Injection" family e.g. SQL Injection. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the client. However, we do not have any validation for many parameters.
More information:
https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services