[bitnami/airflow] Airflow container errors out if any AIRFLOW_LDAP_
environment variable contains a single quote
#65217
Labels
airflow
solved
stale
15 days without activity
tech-issues
The user has a technical issue about an application
Name and Version
bitnami/airflow:2 (currently 2.9.0-debian-12-r1)
What architecture are you using?
amd64
What steps will reproduce the bug?
Run the following commands:
This will fetch the current example
docker-compose-ldap.yml
from thebitnami/containers
GitHub repository and override theAIRFLOW_LDAP_BIND_PASSWORD
environment variable in theairflow
service toadminpassword'
(note the trailing single quote).What is the expected behavior?
The
airflow-1
container should come up successfully.What do you see instead?
The
airflow-1
container errors out immediately after theStarting Airflow
stage, with the following Python traceback:Additional information
This happens because the
airflow_webserver_conf_set
function in/opt/bitnami/scripts/libairflow.sh
simply wraps the configuration values in single quotes without escaping any single quotes in the value when adding new values towebserver_config.py
, as well as when updating existing values.The issue can be partially mitigated by changing line 332 to
is_boolean_yes "$is_literal" && new_value="'${value//"'"/\'}'"
and line 326 tois_boolean_yes "$is_literal" && entry="${key} = '${value//"'"/\'}'" || entry="${key} = ${value}"
. This will escape all single quotes in "literal" values with a backslash. However, additional logic will also be needed to escape backslashes in values, and to handle non-"literal" configuration values, such asTrue
&False
(which would be considerably more complex).A more bulletproof approach might instead be to append a minimal Python script to
/opt/bitnami/airflow/webserver_config.py
, which would deserialize configuration values as JSON from an environment variable or file, something like the following:Then
airflow_webserver_conf_set
could be updated to serialize the provided configuration values to JSON using a tool such asjq
, for example:This would eliminate all issues with escaping configuration values, while still allowing users to pass literals such as
True
&False
, as well as more complex values such as the dictionaries used byAIRFLOW_LDAP_ROLES_MAPPING
. This would be a potentially-breaking change for users usingAIRFLOW_LDAP_ROLES_MAPPING
, since it would now be JSON instead of a Python dictionary literal. Additionally, care would have to be taken to ensure the existing configuration override behavior is maintained. if an existingwebserver_config.py
is provided.This affects all configuration values that are written using
airflow_webserver_conf_set
, namely:AIRFLOW_LDAP_URI
AIRFLOW_LDAP_SEARCH
AIRFLOW_LDAP_UID_FIELD
AIRFLOW_LDAP_BIND_USER
AIRFLOW_LDAP_BIND_PASSWORD
AIRFLOW_LDAP_USER_REGISTRATION
AIRFLOW_LDAP_USER_REGISTRATION_ROLE
AIRFLOW_LDAP_ROLES_MAPPING
AIRFLOW_LDAP_ROLES_SYNC_AT_LOGIN
AIRFLOW_LDAP_ALLOW_SELF_SIGNED
AIRFLOW_LDAP_TLS_CA_CERTIFICATE
Values containing single quotes are not valid for many of these anyway, but are valid for
AIRFLOW_LDAP_BIND_PASSWORD
andAIRFLOW_LDAP_TLS_CA_CERTIFICATE
, and possibly alsoAIRFLOW_LDAP_SEARCH
andAIRFLOW_LDAP_ROLES_MAPPING
.Since
webserver_config.py
is executed by Airflow on startup, this also enables arbitrary Python code injection in the Airflow process via any of theAIRFLOW_LDAP_
environment variables. This could be considered a vulnerability, although an attacker with sufficient access to alter those environment variables is already in a position to do much worse things anyway.The text was updated successfully, but these errors were encountered: