Headline
CVE-2022-45402: Replace FAB url filtering function with Airflows by jedcunningham · Pull Request #27576 · apache/airflow
In Apache Airflow versions prior to 2.4.3, there was an open redirect in the webserver’s /login endpoint.
This broke API unit tests, e.g. tests/api_connexion/test_auth.py::TestSessionAuth::test_success:
=================================== FAILURES ===================================
_________________________ TestSessionAuth.test_success _________________________
self = <tests.api_connexion.test_auth.TestSessionAuth object at 0x7f9d56d4fb10>
def test_success(self):
clear_db_pools()
> admin_user = client_with_login(self.app, username="test", password="test")
tests/api_connexion/test_auth.py:143:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
tests/test_utils/www.py:27: in client_with_login
resp = client.post("/login/", data=kwargs)
/usr/local/lib/python3.7/site-packages/werkzeug/test.py:1145: in post
return self.open(*args, **kw)
/usr/local/lib/python3.7/site-packages/flask/testing.py:226: in open
follow_redirects=follow_redirects,
/usr/local/lib/python3.7/site-packages/werkzeug/test.py:1094: in open
response = self.run_wsgi_app(request.environ, buffered=buffered)
/usr/local/lib/python3.7/site-packages/werkzeug/test.py:961: in run_wsgi_app
rv = run_wsgi_app(self.application, environ, buffered=buffered)
/usr/local/lib/python3.7/site-packages/werkzeug/test.py:1242: in run_wsgi_app
app_rv = app(environ, start_response)
/usr/local/lib/python3.7/site-packages/flask/app.py:2548: in __call__
return self.wsgi_app(environ, start_response)
/usr/local/lib/python3.7/site-packages/flask/app.py:2528: in wsgi_app
response = self.handle_exception(e)
/usr/local/lib/python3.7/site-packages/flask/app.py:2525: in wsgi_app
response = self.full_dispatch_request()
/usr/local/lib/python3.7/site-packages/flask/app.py:1822: in full_dispatch_request
rv = self.handle_user_exception(e)
/usr/local/lib/python3.7/site-packages/flask/app.py:1820: in full_dispatch_request
rv = self.dispatch_request()
/usr/local/lib/python3.7/site-packages/flask/app.py:1796: in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
/usr/local/lib/python3.7/site-packages/flask_appbuilder/security/views.py:524: in login
return redirect(get_safe_redirect(next_url))
airflow/www/views.py:159: in get_safe_url
return url_for('Airflow.index')
/usr/local/lib/python3.7/site-packages/flask/helpers.py:262: in url_for
**values,
/usr/local/lib/python3.7/site-packages/flask/app.py:2031: in url_for
return self.handle_url_build_error(error, endpoint, values)
/usr/local/lib/python3.7/site-packages/flask/app.py:2025: in url_for
force_external=_external,
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <werkzeug.routing.map.MapAdapter object at 0x7f9d54a88810>
endpoint = 'Airflow.index', values = {}, method = None, force_external = False
append_unknown = True, url_scheme = None
...
rv = self._partial_build(endpoint, values, method, append_unknown)
if rv is None:
> raise BuildError(endpoint, values, method, self)
E werkzeug.routing.exceptions.BuildError: Could not build url for endpoint 'Airflow.index'. Did you mean 'IndexView.index' instead?
/usr/local/lib/python3.7/site-packages/werkzeug/routing/map.py:917: BuildError