[GitHub] [airflow] mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171)
mik-laj commented on issue #8279: URL: https://github.com/apache/airflow/pull/8279#issuecomment-616686756 1. For DAG ID and Task ID, you could use `airflow.utils.helpers.validate_key`. For execution_date, I'm afraid there is no such function yet, but it should not be difficult to write it. 2. We should not put the whole view in a try-catch block, but you may use the try-catch code block somewhere. We should handle all the problems we can in the code. Exceptions to the screen should only be displayed if there is no other solution. In this case, we know another solution - we can display a clear error message and redirect to the home page. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [airflow] mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171)
mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171) URL: https://github.com/apache/airflow/pull/8279#issuecomment-613742808 We have not previously validated data (we have only validation provided by FAB) and we have to come up with good practises. You may have the impression that the scope of work has changed, but if we just don't start working, we don't know how to do something fully. Now I am convinced that this is an important task and we definitely should do it. Go ahead and ask if you have questions. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [airflow] mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171)
mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171) URL: https://github.com/apache/airflow/pull/8279#issuecomment-613732733 I open following page: ``` http://localhost:28080/rendered?dag_id=example_bash_operator_id=runme_0_date=2020-04-13T00%3A00%3A00%2B00%3A00 ``` I see the correct view. I add one letter to the task ID. ``` http://localhost:28080/rendered?dag_id=example_bash_operator_id=runme_0D_date=2020-04-13T00%3A00%3A00%2B00%3A00 ``` ![Screenshot 2020-04-15 at 01 26 50](https://user-images.githubusercontent.com/12058428/79283461-38c8fe00-7eb8-11ea-8fe0-0f142641c8e0.png) I see a mushroom. This should not happen in a mature application. A clear error message should appear. When I open following address: ``` http://localhost:28080/rendered?dag_id=example_bash_operator_id=runme_0_date=2020-04-13T00%3A00%3A00%2B00%3A00 ``` I also see mushroom. ![Screenshot 2020-04-15 at 01 29 02](https://user-images.githubusercontent.com/12058428/79283552-86de0180-7eb8-11ea-9f9c-e835869d20f0.png) This is a visual problem, but it is also a security problem. If we see similar messages, it means that we haven't verified enough input data. Data validation is the basic method of protecting against other serious attacks from the "Injection" family e.g. SQL Injection. Input validation should happen as early as possible in the data flow, preferably as soon as the data is received from the client. However, we do not have any validation for many parameters. ![image](https://user-images.githubusercontent.com/12058428/79283676-d58b9b80-7eb8-11ea-8514-c3abd89e3416.png) More information: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] [airflow] mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171)
mik-laj commented on issue #8279: Protect /rendered page from invalid DAG ids (#8171) URL: https://github.com/apache/airflow/pull/8279#issuecomment-613103941 This is what I am looking for. Can you also check other input parameters for this view i.e. ``task_id``, ``execution_date``? If you submit incorrect values to these parameter, you should see the appropriate error messages. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services