Skip to content

Commit b3711ff

Browse files
XD-DENGkaxil
XD-DENG
authored and
kaxil
committed
[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (apache#3729)
The same issue was fixed for /www previously in PR apache#3651 (JIRA ticket 2809) (cherry picked from commit fe6d00a) (cherry picked from commit a8900fa) (cherry picked from commit 5b08ec2c3b5b0e67dcdd176a5b3ecbd6f0318a6e)
1 parent 67de55e commit b3711ff

File tree

3 files changed

+10
-2
lines changed

3 files changed

+10
-2
lines changed

airflow/config_templates/config.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -702,7 +702,8 @@
702702
- name: secret_key
703703
description: |
704704
Secret key used to run your flask app
705-
It should be as random as possible
705+
If default value is given ("temporary_key"), a random secret_key will be generated
706+
when you launch your webserver for security reason
706707
version_added: ~
707708
type: string
708709
example: ~

airflow/config_templates/default_airflow.cfg

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -341,7 +341,8 @@ worker_refresh_batch_size = 1
341341
worker_refresh_interval = 30
342342

343343
# Secret key used to run your flask app
344-
# It should be as random as possible
344+
# If default value is given ("temporary_key"), a random secret_key will be generated
345+
# when you launch your webserver for security reason
345346
secret_key = temporary_key
346347

347348
# Number of workers to run the Gunicorn web server

airflow/www_rbac/app.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@
1919
#
2020
import logging
2121
import socket
22+
import os
2223
from datetime import timedelta
2324
from typing import Any
2425

@@ -61,6 +62,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
6162
session_lifetime_days = conf.getint('webserver', 'SESSION_LIFETIME_DAYS', fallback=30)
6263
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=session_lifetime_days)
6364

65+
if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
66+
app.secret_key = os.urandom(16)
67+
else:
68+
app.secret_key = conf.get('webserver', 'SECRET_KEY')
69+
6470
app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
6571
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
6672
app.config['APP_NAME'] = app_name

0 commit comments

Comments
 (0)