Skip to content

Commit 5a42706

Browse files
kaxilkaxil
committed
Webserver: Sanitize string passed to origin param (apache#14738)
Follow-up of apache#12459 & apache#10334 Since https://github.com/python/cpython/pull/24297/files (bpo-42967) also removed ';' as query argument separator, we remove query arguments with semicolons. (cherry picked from commit 409c249)
1 parent e5bc6a4 commit 5a42706

File tree

2 files changed

+19
-4
lines changed

2 files changed

+19
-4
lines changed

airflow/www/views.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,8 +121,18 @@ def get_safe_url(url):
121121

122122
parsed = urlparse(url)
123123

124+
# If the url is relative & it contains semicolon, redirect it to homepage to avoid
125+
# potential XSS. (Similar to https://github.com/python/cpython/pull/24297/files (bpo-42967))
126+
if parsed.netloc == '' and parsed.scheme == '' and ';' in unquote(url):
127+
return url_for('Airflow.index')
128+
124129
query = parse_qsl(parsed.query, keep_blank_values=True)
125-
url = parsed._replace(query=urlencode(query)).geturl()
130+
131+
# Remove all the query elements containing semicolon
132+
# As part of https://github.com/python/cpython/pull/24297/files (bpo-42967)
133+
# semicolon was already removed as a separator for query arguments by default
134+
sanitized_query = [query_arg for query_arg in query if ';' not in query_arg[1]]
135+
url = parsed._replace(query=urlencode(sanitized_query)).geturl()
126136

127137
if parsed.scheme in valid_schemes and parsed.netloc in valid_netlocs:
128138
return url

tests/www/test_views.py

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2749,9 +2749,10 @@ def test_trigger_dag_form(self):
27492749
[
27502750
("javascript:alert(1)", "/home"),
27512751
("http://google.com", "/home"),
2752+
("36539'%3balert(1)%2f%2f166", "/home"),
27522753
(
27532754
"%2Ftree%3Fdag_id%3Dexample_bash_operator';alert(33)//",
2754-
"/tree?dag_id=example_bash_operator%27&alert%2833%29%2F%2F=",
2755+
"/home",
27552756
),
27562757
("%2Ftree%3Fdag_id%3Dexample_bash_operator", "/tree?dag_id=example_bash_operator"),
27572758
("%2Fgraph%3Fdag_id%3Dexample_bash_operator", "/graph?dag_id=example_bash_operator"),
@@ -3289,10 +3290,14 @@ class TestHelperFunctions(TestBase):
32893290
[
32903291
("", "/home"),
32913292
("http://google.com", "/home"),
3293+
("36539'%3balert(1)%2f%2f166", "/home"),
3294+
(
3295+
"http://localhost:8080/trigger?dag_id=test&origin=36539%27%3balert(1)%2f%2f166&abc=2",
3296+
"http://localhost:8080/trigger?dag_id=test&abc=2",
3297+
),
32923298
(
32933299
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag';alert(33)//",
3294-
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3F"
3295-
"dag_id%25test_dag%27&alert%2833%29%2F%2F=",
3300+
"http://localhost:8080/trigger?dag_id=test_dag",
32963301
),
32973302
(
32983303
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag",

0 commit comments

Comments
 (0)