Skip to content

Commit 7f2b065

Browse files
potiukpotiuk
authored
Sanitize url_for arguments before they are passed (apache#29039)
The url_for of flask has special arguments that start with `_` and we should sanitize the ones that come with the request before passing them.
1 parent 26b16c9 commit 7f2b065

File tree

1 file changed

+22
-12
lines changed

1 file changed

+22
-12
lines changed

airflow/www/views.py

Lines changed: 22 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -154,6 +154,16 @@ def truncate_task_duration(task_duration):
154154
return int(task_duration) if task_duration > 10.0 else round(task_duration, 3)
155155

156156

157+
def sanitize_args(args: dict[str, str]) -> dict[str, str]:
158+
"""
159+
Remove all parameters starting with `_`
160+
161+
:param args: arguments of request
162+
:return: copy of the dictionary passed as input with args starting with `_` removed.
163+
"""
164+
return {key: value for key, value in args.items() if not key.startswith("_")}
165+
166+
157167
def get_safe_url(url):
158168
"""Given a user-supplied URL, ensure it points to our web server"""
159169
if not url:
@@ -1169,7 +1179,7 @@ def last_dagruns(self, session=None):
11691179
)
11701180
def legacy_code(self):
11711181
"""Redirect from url param."""
1172-
return redirect(url_for("Airflow.code", **request.args))
1182+
return redirect(url_for("Airflow.code", **sanitize_args(request.args)))
11731183

11741184
@expose("/dags/<string:dag_id>/code")
11751185
@auth.has_access(
@@ -1216,7 +1226,7 @@ def code(self, dag_id, session=None):
12161226
)
12171227
def legacy_dag_details(self):
12181228
"""Redirect from url param."""
1219-
return redirect(url_for("Airflow.dag_details", **request.args))
1229+
return redirect(url_for("Airflow.dag_details", **sanitize_args(request.args)))
12201230

12211231
@expose("/dags/<string:dag_id>/details")
12221232
@auth.has_access(
@@ -2628,7 +2638,7 @@ def success(self):
26282638
@action_logging
26292639
def dag(self, dag_id):
26302640
"""Redirect to default DAG view."""
2631-
kwargs = {**request.args, "dag_id": dag_id}
2641+
kwargs = {**sanitize_args(request.args), "dag_id": dag_id}
26322642
return redirect(url_for("Airflow.grid", **kwargs))
26332643

26342644
@expose("/legacy_tree")
@@ -2643,7 +2653,7 @@ def dag(self, dag_id):
26432653
@action_logging
26442654
def legacy_tree(self):
26452655
"""Redirect to the replacement - grid view."""
2646-
return redirect(url_for("Airflow.grid", **request.args))
2656+
return redirect(url_for("Airflow.grid", **sanitize_args(request.args)))
26472657

26482658
@expose("/tree")
26492659
@auth.has_access(
@@ -2657,7 +2667,7 @@ def legacy_tree(self):
26572667
@action_logging
26582668
def tree(self):
26592669
"""Redirect to the replacement - grid view. Kept for backwards compatibility."""
2660-
return redirect(url_for("Airflow.grid", **request.args))
2670+
return redirect(url_for("Airflow.grid", **sanitize_args(request.args)))
26612671

26622672
@expose("/dags/<string:dag_id>/grid")
26632673
@auth.has_access(
@@ -2736,7 +2746,7 @@ def grid(self, dag_id, session=None):
27362746
@action_logging
27372747
def legacy_calendar(self):
27382748
"""Redirect from url param."""
2739-
return redirect(url_for("Airflow.calendar", **request.args))
2749+
return redirect(url_for("Airflow.calendar", **sanitize_args(request.args)))
27402750

27412751
@expose("/dags/<string:dag_id>/calendar")
27422752
@auth.has_access(
@@ -2877,7 +2887,7 @@ def _convert_to_date(session, column):
28772887
@action_logging
28782888
def legacy_graph(self):
28792889
"""Redirect from url param."""
2880-
return redirect(url_for("Airflow.graph", **request.args))
2890+
return redirect(url_for("Airflow.graph", **sanitize_args(request.args)))
28812891

28822892
@expose("/dags/<string:dag_id>/graph")
28832893
@auth.has_access(
@@ -2994,7 +3004,7 @@ class GraphForm(DateTimeWithNumRunsWithDagRunsForm):
29943004
@action_logging
29953005
def legacy_duration(self):
29963006
"""Redirect from url param."""
2997-
return redirect(url_for("Airflow.duration", **request.args))
3007+
return redirect(url_for("Airflow.duration", **sanitize_args(request.args)))
29983008

29993009
@expose("/dags/<string:dag_id>/duration")
30003010
@auth.has_access(
@@ -3155,7 +3165,7 @@ def duration(self, dag_id, session=None):
31553165
@action_logging
31563166
def legacy_tries(self):
31573167
"""Redirect from url param."""
3158-
return redirect(url_for("Airflow.tries", **request.args))
3168+
return redirect(url_for("Airflow.tries", **sanitize_args(request.args)))
31593169

31603170
@expose("/dags/<string:dag_id>/tries")
31613171
@auth.has_access(
@@ -3250,7 +3260,7 @@ def tries(self, dag_id, session=None):
32503260
@action_logging
32513261
def legacy_landing_times(self):
32523262
"""Redirect from url param."""
3253-
return redirect(url_for("Airflow.landing_times", **request.args))
3263+
return redirect(url_for("Airflow.landing_times", **sanitize_args(request.args)))
32543264

32553265
@expose("/dags/<string:dag_id>/landing-times")
32563266
@auth.has_access(
@@ -3372,7 +3382,7 @@ def paused(self):
33723382
@action_logging
33733383
def legacy_gantt(self):
33743384
"""Redirect from url param."""
3375-
return redirect(url_for("Airflow.gantt", **request.args))
3385+
return redirect(url_for("Airflow.gantt", **sanitize_args(request.args)))
33763386

33773387
@expose("/dags/<string:dag_id>/gantt")
33783388
@auth.has_access(
@@ -3820,7 +3830,7 @@ def robots(self):
38203830
)
38213831
def legacy_audit_log(self):
38223832
"""Redirect from url param."""
3823-
return redirect(url_for("Airflow.audit_log", **request.args))
3833+
return redirect(url_for("Airflow.audit_log", **sanitize_args(request.args)))
38243834

38253835
@expose("/dags/<string:dag_id>/audit_log")
38263836
@auth.has_access(

0 commit comments

Comments
 (0)