You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2020/12/01 21:18:33 UTC
[airflow] 01/03: [AIRFLOW-2809] Fix security issue regarding Flask
SECRET_KEY
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 05f57b90ed76982de8953967e2cc8a5a5b03bf3b
Author: XD-DENG <xd...@hotmail.com>
AuthorDate: Sun Jul 29 11:57:46 2018 +0200
[AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY
It's recommended by Falsk community to use random
SECRET_KEY for security reason.
However, in Airflow there is a default value for
secret_key and most users will ignore to change
it.
This may cause security concern.
Closes #3651 from XD-DENG/patch-2
(cherry picked from commit dfa7b26ddaca80ee8fd9915ee9f6eac50fac77f6)
---
airflow/www/app.py | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/airflow/www/app.py b/airflow/www/app.py
index 58e82b9..2d463a2 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -19,6 +19,7 @@
#
import datetime
import logging
+import os
from typing import Any
import flask
@@ -49,6 +50,7 @@ log = logging.getLogger(__name__)
def create_app(config=None, testing=False):
+
app = Flask(__name__)
if conf.getboolean('webserver', 'ENABLE_PROXY_FIX'):
app.wsgi_app = ProxyFix(
@@ -64,6 +66,12 @@ def create_app(config=None, testing=False):
app.config['LOGIN_DISABLED'] = not conf.getboolean(
'webserver', 'AUTHENTICATE')
+ if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+ log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
+ app.secret_key = os.urandom(16)
+ else:
+ app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
+
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')
app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver', 'COOKIE_SAMESITE')