You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/12/18 14:04:00 UTC
[jira] [Commented] (AIRFLOW-2899) Sensitive data exposed when
Exporting Variables
[ https://issues.apache.org/jira/browse/AIRFLOW-2899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16724092#comment-16724092 ]
ASF GitHub Bot commented on AIRFLOW-2899:
-----------------------------------------
stale[bot] closed pull request #3748: [AIRFLOW-2899] Hide sensitive data when Exporting Variables
URL: https://github.com/apache/incubator-airflow/pull/3748
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/www/views.py b/airflow/www/views.py
index 0c0dcff801..9051c0d793 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -2566,10 +2566,13 @@ def action_varexport(self, ids, session=None):
d = json.JSONDecoder()
for var in qry:
val = None
- try:
- val = d.decode(var.val)
- except Exception:
- val = var.val
+ if wwwutils.should_hide_value_for_key(var):
+ val = '*' * 8
+ else:
+ try:
+ val = d.decode(var.val)
+ except Exception:
+ val = var.val
var_dict[var.key] = val
response = make_response(json.dumps(var_dict, sort_keys=True, indent=4))
diff --git a/airflow/www_rbac/views.py b/airflow/www_rbac/views.py
index 629f488fc7..b6dc5eb56a 100644
--- a/airflow/www_rbac/views.py
+++ b/airflow/www_rbac/views.py
@@ -2030,10 +2030,13 @@ def action_varexport(self, items):
var_dict = {}
d = json.JSONDecoder()
for var in items:
- try:
- val = d.decode(var.val)
- except Exception:
- val = var.val
+ if wwwutils.should_hide_value_for_key(var):
+ val = '*' * 8
+ else:
+ try:
+ val = d.decode(var.val)
+ except Exception:
+ val = var.val
var_dict[var.key] = val
response = make_response(json.dumps(var_dict, sort_keys=True, indent=4))
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Sensitive data exposed when Exporting Variables
> -----------------------------------------------
>
> Key: AIRFLOW-2899
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2899
> Project: Apache Airflow
> Issue Type: Task
> Components: security
> Affects Versions: 1.8.2, 1.9.0, 1.10.0
> Reporter: Kaxil Naik
> Assignee: Kaxil Naik
> Priority: Major
> Fix For: 2.0.0
>
> Attachments: image-2018-08-14-15-39-17-680.png
>
>
> Currently, the sensitive variable is hidden from being exposed in the Web UI. However, if the UI is compromised, someone can export variables where all the sensitive variables are exported in plain text format.
> !image-2018-08-14-15-39-17-680.png!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)