You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Dan Davydov (JIRA)" <ji...@apache.org> on 2017/09/08 22:45:00 UTC
[jira] [Updated] (AIRFLOW-1584) Remove the insecure /headers
endpoints
[ https://issues.apache.org/jira/browse/AIRFLOW-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dan Davydov updated AIRFLOW-1584:
---------------------------------
Description:
Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie, granting the attacker access to any other InternalAuth-gated application on Airbnb's network.
Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers
Description: The endpoint listed in the Target section returns the headers sent by the user's browser, including the Cookie header. Since this endpoint can be called by JavaScript on the Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal the auth_proxy cookie and use it to authenticate to other InternalAuth services.
This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
{code:java}
$.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
{code}
Remediation: Disable this endpoint entirely. If some of the headers are important they can be added to the gunicorn request log format.
was:
Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie, granting the attacker access to any other InternalAuth-gated application on Airbnb's network.
Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers
Description: The endpoint listed in the Target section returns the headers sent by the user's browser, including the Cookie header. Since this endpoint can be called by JavaScript on the Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal the auth_proxy cookie and use it to authenticate to other InternalAuth services.
{code:java}
This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
$.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
{code}
Remediation: Disable this endpoint entirely. If some of the headers are important they can be added to the gunicorn request log format.
> Remove the insecure /headers endpoints
> --------------------------------------
>
> Key: AIRFLOW-1584
> URL: https://issues.apache.org/jira/browse/AIRFLOW-1584
> Project: Apache Airflow
> Issue Type: Bug
> Components: webserver
> Reporter: Dan Davydov
> Assignee: Dan Davydov
>
> Impact: An XSS vulnerability on Airflow would be able to read a user's auth_proxy cookie, granting the attacker access to any other InternalAuth-gated application on Airbnb's network.
> Target: The endpoint at https://airflow-main-proxy.d.musta.ch/admin/airflow/headers or https://airflow-precious.d.musta.ch/admin/airflow/headers
> Description: The endpoint listed in the Target section returns the headers sent by the user's browser, including the Cookie header. Since this endpoint can be called by JavaScript on the Airflow domain, this allows JS running on Airflow to ignore the HTTPOnly directive that the auth_proxy (and potentially other) cookie sets. This means that malicious JavaScript can steal the auth_proxy cookie and use it to authenticate to other InternalAuth services.
> This can be demonstrated by running the following JavaScript snippet in any Airflow tab:
> {code:java}
> $.get("/admin/airflow/headers", function(data) {alert(data['headers']['Cookie']);})
> {code}
> Remediation: Disable this endpoint entirely. If some of the headers are important they can be added to the gunicorn request log format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)