From 97b2735d65e95c4633966667b6db3908540f3937 Mon Sep 17 00:00:00 2001 From: XD-DENG Date: Fri, 10 Aug 2018 09:45:01 +0800 Subject: [PATCH] [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac The same issue was fixed for /www previously in PR https://github.com/apache/incubator-airflow/pull/3651 (JIRA ticket 2809) --- airflow/config_templates/default_airflow.cfg | 2 ++ airflow/www_rbac/app.py | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 9d240b8323868..b957d413551dd 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -250,6 +250,8 @@ worker_refresh_batch_size = 1 worker_refresh_interval = 30 # Secret key used to run your flask app +# If default value is given ("temporary_key"), a random secret_key will be generated +# when you launch your webserver for security reason secret_key = temporary_key # Number of workers to run the Gunicorn web server diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 92e5c73881ddc..8d3400a66800b 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -19,6 +19,7 @@ # import socket import six +import os from flask import Flask from flask_appbuilder import AppBuilder, SQLA @@ -42,7 +43,10 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): global app, appbuilder app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app) - app.secret_key = conf.get('webserver', 'SECRET_KEY') + if conf.get('webserver', 'SECRET_KEY') == "temporary_key": + app.secret_key = os.urandom(16) + else: + app.secret_key = conf.get('webserver', 'SECRET_KEY') airflow_home_path = conf.get('core', 'AIRFLOW_HOME') webserver_config_path = airflow_home_path + '/webserver_config.py'