You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by cr...@apache.org on 2017/09/18 18:42:36 UTC

incubator-airflow git commit: [AIRFLOW-1617] Fix XSS vulnerability in Variable endpoint

Repository: incubator-airflow
Updated Branches:
  refs/heads/master 346968b92 -> 8f9bf94d8


[AIRFLOW-1617] Fix XSS vulnerability in Variable endpoint

In case a Variable form was accessed by a get request and
the form did not exist as a template, the input was
returned as is to the user.

Closes #2611 from bolkedebruin/xss_fix


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/8f9bf94d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/8f9bf94d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/8f9bf94d

Branch: refs/heads/master
Commit: 8f9bf94d82abc59336e642db64e575cee0cc5df0
Parents: 346968b
Author: Bolke de Bruin <bo...@xs4all.nl>
Authored: Mon Sep 18 11:42:11 2017 -0700
Committer: Chris Riccomini <cr...@apache.org>
Committed: Mon Sep 18 11:42:18 2017 -0700

----------------------------------------------------------------------
 airflow/www/views.py    |  4 ++++
 tests/www/test_views.py | 11 +++++++++++
 2 files changed, 15 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/8f9bf94d/airflow/www/views.py
----------------------------------------------------------------------
diff --git a/airflow/www/views.py b/airflow/www/views.py
index 850db4a..829167f 100644
--- a/airflow/www/views.py
+++ b/airflow/www/views.py
@@ -47,6 +47,8 @@ from flask_login import flash
 from flask._compat import PY2
 
 from jinja2.sandbox import ImmutableSandboxedEnvironment
+from jinja2 import escape
+
 import markdown
 import nvd3
 
@@ -1760,6 +1762,8 @@ class Airflow(BaseView):
                     'airflow/variables/{}.html'.format(form)
                 )
         except:
+            # prevent XSS
+            form = escape(form)
             return ("Error: form airflow/variables/{}.html "
                     "not found.").format(form), 404
 

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/8f9bf94d/tests/www/test_views.py
----------------------------------------------------------------------
diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index f20dca1..9147b22 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -139,6 +139,17 @@ class TestVariableView(unittest.TestCase):
         self.assertIn('<span class="label label-danger">Invalid</span>',
                       response.data.decode('utf-8'))
 
+    def test_xss_prevention(self):
+        xss = "/admin/airflow/variables/asdf<img%20src=''%20onerror='alert(1);'>"
+
+        response = self.app.get(
+            xss,
+            follow_redirects=True,
+        )
+        self.assertEqual(response.status_code, 404)
+        self.assertNotIn("<img src='' onerror='alert(1);'>",
+                         response.data.decode("utf-8"))
+
 
 class TestKnownEventView(unittest.TestCase):