Skip to content

Commit

Permalink
Simplify origin string cleaning (#27143)
Browse files Browse the repository at this point in the history
(cherry picked from commit 68cb2da)
  • Loading branch information
jedcunningham authored and ephraimbuddy committed Oct 19, 2022
1 parent 2987801 commit 9fb4814
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 16 deletions.
20 changes: 7 additions & 13 deletions airflow/www/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
from json import JSONDecodeError
from operator import itemgetter
from typing import Any, Callable
from urllib.parse import parse_qsl, unquote, urlencode, urlparse
from urllib.parse import unquote, urljoin, urlsplit

import configupdater
import flask.json
Expand Down Expand Up @@ -155,27 +155,21 @@ def truncate_task_duration(task_duration):

def get_safe_url(url):
"""Given a user-supplied URL, ensure it points to our web server"""
valid_schemes = ['http', 'https', '']
valid_netlocs = [request.host, '']

if not url:
return url_for('Airflow.index')

parsed = urlparse(url)

# If the url contains semicolon, redirect it to homepage to avoid
# potential XSS. (Similar to https://github.com/python/cpython/pull/24297/files (bpo-42967))
if ';' in unquote(url):
return url_for('Airflow.index')

query = parse_qsl(parsed.query, keep_blank_values=True)

url = parsed._replace(query=urlencode(query)).geturl()

if parsed.scheme in valid_schemes and parsed.netloc in valid_netlocs:
return url
host_url = urlsplit(request.host_url)
redirect_url = urlsplit(urljoin(request.host_url, url))
if not (redirect_url.scheme in ("http", "https") and host_url.netloc == redirect_url.netloc):
return url_for('Airflow.index')

return url_for('Airflow.index')
# This will ensure we only redirect to the right scheme/netloc
return redirect_url.geturl()


def get_date_time_num_runs_dag_runs_form_data(www_request, session, dag):
Expand Down
6 changes: 6 additions & 0 deletions tests/www/views/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,13 @@ def test_task_dag_id_equals_filter(admin_client, url, content):
"test_url, expected_url",
[
("", "/home"),
("javascript:alert(1)", "/home"),
(" javascript:alert(1)", "http://localhost:8080/ javascript:alert(1)"),
("http://google.com", "/home"),
("google.com", "http://localhost:8080/google.com"),
("\\/google.com", "http://localhost:8080/\\/google.com"),
("//google.com", "/home"),
("\\/\\/google.com", "http://localhost:8080/\\/\\/google.com"),
("36539'%3balert(1)%2f%2f166", "/home"),
(
"http://localhost:8080/trigger?dag_id=test&origin=36539%27%3balert(1)%2f%2f166&abc=2",
Expand Down
6 changes: 3 additions & 3 deletions tests/www/views/test_views_trigger_dag.py
Original file line number Diff line number Diff line change
Expand Up @@ -149,14 +149,14 @@ def test_trigger_dag_form(admin_client):
("36539'%3balert(1)%2f%2f166", "/home"),
(
'"><script>alert(99)</script><a href="',
"&#34;&gt;&lt;script&gt;alert(99)&lt;/script&gt;&lt;a href=&#34;",
"http://localhost/&#34;&gt;&lt;script&gt;alert(99)&lt;/script&gt;&lt;a href=&#34;",
),
(
"%2Ftree%3Fdag_id%3Dexample_bash_operator';alert(33)//",
"/home",
),
("%2Ftree%3Fdag_id%3Dexample_bash_operator", "/tree?dag_id=example_bash_operator"),
("%2Fgraph%3Fdag_id%3Dexample_bash_operator", "/graph?dag_id=example_bash_operator"),
("%2Ftree%3Fdag_id%3Dexample_bash_operator", "http://localhost/tree?dag_id=example_bash_operator"),
("%2Fgraph%3Fdag_id%3Dexample_bash_operator", "http://localhost/graph?dag_id=example_bash_operator"),
],
)
def test_trigger_dag_form_origin_url(admin_client, test_origin, expected_origin):
Expand Down

0 comments on commit 9fb4814

Please sign in to comment.