Headline
CVE-2023-42780: Fix dag warning endpoint permissions by hussein-awala · Pull Request #34355 · apache/airflow
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.
I thought about using IN (list of accessible dags), but after some search, it looks like IN has limits in the different engines:
MySQL:
- The maximum number of values in an IN list is determined by the value of the max_allowed_packet server variable. This variable specifies the maximum size of a single packet or any generated/intermediate string.
- In practical terms, you can typically have several thousand values in an IN list.
PostgreSQL:
- There is no strict limit on the number of values you can use in an IN list. However, very long lists may be subject to performance issues.
SQLite:
- The maximum number of parameters in an IN clause is determined by the maximum number of host parameters in a single SQL statement, which is typically limited to several hundred.
SQL Server:
- The maximum number of values in an IN list is determined by the maximum number of expressions that can be included in a list (which is 65,536).
Oracle:
- The maximum number of expressions in an IN list is 1,000.
I will try to find a way to join the table with the dag table.
Related news
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs, even if the user had no permission to see those DAGs. It would reveal the dag_ids and the stack-traces of import errors for those DAGs with import errors. Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability.