You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2021/03/19 15:06:43 UTC
[airflow] 41/42: Fix tests for all urllib versions with only '&' as
separator (#14710)
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch v2-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 9f33dfb809b90e00a2533fb2138bad8bdbdbfa2b
Author: Kaxil Naik <ka...@gmail.com>
AuthorDate: Thu Mar 11 01:39:28 2021 +0000
Fix tests for all urllib versions with only '&' as separator (#14710)
Turns out #14698 did not fix the issue as Master failed again. After
digging a bit more I found that the CVE was fixed in all
Python versions: 3.6.13, 3.7.10 & 3.8.8
The solution in this PR/commit checks the `parse_qsl` behavior with
following tests:
```
❯ docker run -it python:3.8-slim bash
root@41120dfd035e:/# python
Python 3.8.8 (default, Feb 19 2021, 18:07:06)
>>> from urllib.parse import parse_qsl
>>> parse_qsl(";a=b")
[(';a', 'b')]
>>>
```
```
❯ docker run -it python:3.8.7-slim bash
root@68e527725610:/# python
Python 3.8.7 (default, Feb 9 2021, 08:21:15)
>>> from urllib.parse import parse_qsl
>>> parse_qsl(";a=b")
[('a', 'b')]
>>>
```
(cherry picked from commit 7bd9d477dd7c59b8efb7183050de58bcfd6fdd43)
---
tests/www/test_views.py | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index d284314..ce4478c 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -32,7 +32,7 @@ from datetime import datetime as dt, timedelta
from typing import Any, Dict, Generator, List, NamedTuple
from unittest import mock
from unittest.mock import PropertyMock
-from urllib.parse import quote_plus
+from urllib.parse import parse_qsl, quote_plus
import jinja2
import pytest
@@ -2757,7 +2757,7 @@ class TestTriggerDag(TestBase):
("http://google.com", "/home"),
(
"%2Ftree%3Fdag_id%3Dexample_bash_operator';alert(33)//",
- "/tree?dag_id=example_bash_operator%27&alert%2833%29%2F%2F=",
+ "/tree?dag_id=example_bash_operator%27%3Balert%2833%29%2F%2F",
),
("%2Ftree%3Fdag_id%3Dexample_bash_operator", "/tree?dag_id=example_bash_operator"),
("%2Fgraph%3Fdag_id%3Dexample_bash_operator", "/graph?dag_id=example_bash_operator"),
@@ -2766,6 +2766,13 @@ class TestTriggerDag(TestBase):
def test_trigger_dag_form_origin_url(self, test_origin, expected_origin):
test_dag_id = "example_bash_operator"
+ # https://github.com/python/cpython/pull/24297/files
+ # Check if tests are running with a Python version containing the above fix
+ # where ";" is removed as a separator
+ if parse_qsl(";a=b") != [(';a', 'b')]:
+ expected_url = expected_origin.replace("%3B", "&")
+ expected_url += "="
+
resp = self.client.get(f'trigger?dag_id={test_dag_id}&origin={test_origin}')
self.check_content_in_response(
'<button type="button" class="btn" onclick="location.href = \'{}\'; return false">'.format(
@@ -3298,7 +3305,7 @@ class TestHelperFunctions(TestBase):
(
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag';alert(33)//",
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3F"
- "dag_id%25test_dag%27&alert%2833%29%2F%2F=",
+ "dag_id%25test_dag%27%3Balert%2833%29%2F%2F",
),
(
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag",
@@ -3308,6 +3315,13 @@ class TestHelperFunctions(TestBase):
)
@mock.patch("airflow.www.views.url_for")
def test_get_safe_url(self, test_url, expected_url, mock_url_for):
+ # https://github.com/python/cpython/pull/24297/files
+ # Check if tests are running with a Python version containing the above fix
+ # where ";" is removed as a separator
+ if parse_qsl(";a=b") != [(';a', 'b')]:
+ expected_url = expected_url.replace("%3B", "&")
+ expected_url += "="
+
mock_url_for.return_value = "/home"
with self.app.test_request_context(base_url="http://localhost:8080"):
assert get_safe_url(test_url) == expected_url