You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by cr...@apache.org on 2017/09/18 18:42:36 UTC
incubator-airflow git commit: [AIRFLOW-1617] Fix XSS vulnerability in
Variable endpoint
Repository: incubator-airflow
Updated Branches:
refs/heads/master 346968b92 -> 8f9bf94d8
[AIRFLOW-1617] Fix XSS vulnerability in Variable endpoint
In case a Variable form was accessed by a get request and
the form did not exist as a template, the input was
returned as is to the user.
Closes #2611 from bolkedebruin/xss_fix
Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/8f9bf94d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/8f9bf94d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/8f9bf94d
Branch: refs/heads/master
Commit: 8f9bf94d82abc59336e642db64e575cee0cc5df0
Parents: 346968b
Author: Bolke de Bruin <bo...@xs4all.nl>
Authored: Mon Sep 18 11:42:11 2017 -0700
Committer: Chris Riccomini <cr...@apache.org>
Committed: Mon Sep 18 11:42:18 2017 -0700
----------------------------------------------------------------------
airflow/www/views.py | 4 ++++
tests/www/test_views.py | 11 +++++++++++
2 files changed, 15 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/8f9bf94d/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index 850db4a..829167f 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -47,6 +47,8 @@ from flask_login import flash
from flask._compat import PY2
from jinja2.sandbox import ImmutableSandboxedEnvironment
+from jinja2 import escape
+
import markdown
import nvd3
@@ -1760,6 +1762,8 @@ class Airflow(BaseView):
'airflow/variables/{}.html'.format(form)
)
except:
+ # prevent XSS
+ form = escape(form)
return ("Error: form airflow/variables/{}.html "
"not found.").format(form), 404
http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/8f9bf94d/tests/www/test_views.py
----------------------------------------------------------------------
diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index f20dca1..9147b22 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -139,6 +139,17 @@ class TestVariableView(unittest.TestCase):
self.assertIn('<span class="label label-danger">Invalid</span>',
response.data.decode('utf-8'))
+ def test_xss_prevention(self):
+ xss = "/admin/airflow/variables/asdf<img%20src=''%20onerror='alert(1);'>"
+
+ response = self.app.get(
+ xss,
+ follow_redirects=True,
+ )
+ self.assertEqual(response.status_code, 404)
+ self.assertNotIn("<img src='' onerror='alert(1);'>",
+ response.data.decode("utf-8"))
+
class TestKnownEventView(unittest.TestCase):