[ https://issues.apache.org/jira/browse/AIRFLOW-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605508#comment-16605508 ]
Ravi Kotecha commented on AIRFLOW-2283: --------------------------------------- this is fundamentally how Airflow works, apart from document this; I'm not sure what else we can do? > Multi-Tenant security vulnerability > ----------------------------------- > > Key: AIRFLOW-2283 > URL: https://issues.apache.org/jira/browse/AIRFLOW-2283 > Project: Apache Airflow > Issue Type: Bug > Components: models, scheduler, security, webserver > Affects Versions: 1.8.0 > Environment: Any/All > Reporter: Garrett Summers > Priority: Major > Labels: security > Original Estimate: 168h > Remaining Estimate: 168h > > We noticed what we think to be a potential security vulnerability when > importing dag files in the following line: > {{m = imp.load_source(mod_name, filepath)}} > This line in the DagBag.process_file code imports the dag files available, > but this causes all of the code in the file to actually execute (which could > be any arbitrary code). If the dags for different tenants are being stored in > a common dag structure (even though the are filtered for the different > tenants) then the arbitrary code execution would make it possible for one > tenant to access/modify the dags of other tenants. This would be a major > problem for users who utilize the multi-tenant functionality in Airflow. -- This message was sent by Atlassian JIRA (v7.6.3#76005)