Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-2809

Fix security issue regarding Flask SECRET_KEY

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.0.0
    • webserver
    • None

    Description

      Background

      Currently there is a configuration item secret_key in the configuration .cfg file, with a default value "temporary_key".

      Issue

      Most admins would ignore it and just use the default value "temporary_key". However, this may be very dangerous. User may modify the cookie if they try the default SECRET_KEY while the admin didn't change it.

      In Flask documentation, it's suggested to have a SECRET_KEY which is as random as possible (http://flask.pocoo.org/docs/1.0/quickstart/ ). 

      My Proposal

      If Admin explicitly specified the SECRET_KEY in .cfg file, we use this SECRET_KEY given by Admin.

      If the default SECRET_KEY is not changed in .cfg file, randomly generate SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated SECRET_KEY is used.

      This solution will not affect user experience at all. 

      Attachments

        Activity

          People

            xddeng Xiaodong Deng
            xddeng Xiaodong Deng
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: