[
https://issues.apache.org/jira/browse/AIRFLOW-2283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16605508#comment-16605508
]
Ravi Kotecha commented on AIRFLOW-2283:
---------------------------------------
this is fundamentally how Airflow works, apart from document this; I'm not sure
what else we can do?
> Multi-Tenant security vulnerability
> -----------------------------------
>
> Key: AIRFLOW-2283
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2283
> Project: Apache Airflow
> Issue Type: Bug
> Components: models, scheduler, security, webserver
> Affects Versions: 1.8.0
> Environment: Any/All
> Reporter: Garrett Summers
> Priority: Major
> Labels: security
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> We noticed what we think to be a potential security vulnerability when
> importing dag files in the following line:
> {{m = imp.load_source(mod_name, filepath)}}
> This line in the DagBag.process_file code imports the dag files available,
> but this causes all of the code in the file to actually execute (which could
> be any arbitrary code). If the dags for different tenants are being stored in
> a common dag structure (even though the are filtered for the different
> tenants) then the arbitrary code execution would make it possible for one
> tenant to access/modify the dags of other tenants. This would be a major
> problem for users who utilize the multi-tenant functionality in Airflow.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
