You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2020/12/01 21:18:34 UTC
[airflow] 02/03: [AIRFLOW-2884] Fix Flask SECRET_KEY security issue
in www_rbac (#3729)
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 2d7d28a0d70909cdec336478c4658e42936ae61a
Author: Xiaodong <xd...@hotmail.com>
AuthorDate: Fri Aug 10 18:30:41 2018 +0800
[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (#3729)
The same issue was fixed for /www previously in
PR https://github.com/apache/incubator-airflow/pull/3651
(JIRA ticket 2809)
(cherry picked from commit fe6d00a54f83468e296777d3b83b65a2ae7169ec)
---
airflow/config_templates/config.yml | 3 ++-
airflow/config_templates/default_airflow.cfg | 3 ++-
airflow/www_rbac/app.py | 6 ++++++
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 87ee928..7f0f714 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -737,7 +737,8 @@
- name: secret_key
description: |
Secret key used to run your flask app
- It should be as random as possible
+ If default value is given ("temporary_key"), a random secret_key will be generated
+ when you launch your webserver for security reason
version_added: ~
type: string
example: ~
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 662fd00..765b1ce 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -362,7 +362,8 @@ worker_refresh_interval = 30
reload_on_plugin_change = False
# Secret key used to run your flask app
-# It should be as random as possible
+# If default value is given ("temporary_key"), a random secret_key will be generated
+# when you launch your webserver for security reason
secret_key = temporary_key
# Number of workers to run the Gunicorn web server
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index a2ebf7b..2e653a2 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -19,6 +19,7 @@
#
import logging
import socket
+import os
from datetime import timedelta
from typing import Any
@@ -63,6 +64,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
app.secret_key = conf.get('webserver', 'SECRET_KEY')
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
+ if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+ app.secret_key = os.urandom(16)
+ else:
+ app.secret_key = conf.get('webserver', 'SECRET_KEY')
+
app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['APP_NAME'] = app_name