CVE-2022-24288 Airflow older than 2.2.4 had issues with user-provided params being vulnerable to OS Command Injection.

CVE-2022-24288 Airflow older than 2.2.4 had issues with user-provided params being vulnerable to OS Command Injection.

The issue was fixed in version 2.2.4 by introducing a new feature: parameter validation. To enable parameter validation, set the DAG_VALIDATE_ARGS system variable to 1 . The DAG_VALIDATE_ARGS system variable can be set in the YAML front matter of the DAG configuration, in the CONF block of a custom task, or as a global system variable. When DAG_VALIDATE_ARGS is set to 1 , Apache Airflow will raise an exception if any of the following occurs: Injection of any OS command into a DAG via the command line or web UI

Injection of user-provided data into a DAG via the command line or web UI

Sanitization of user-provided data into a DAG via the command line or web UI where the data is later injected into the DAG If DAG_VALIDATE_ARGS is set to 0 , Apache Airflow will continue to perform validation, but will also raise an exception if any of the following occurs: Injection of any OS command into a DAG via the command line or web UI

Injection of user-provided data into a DAG via the command line or web UI

Sanitization of user-provided data into a DAG via the command line or web UI where the data is later injected into the DAG If DAG_VALIDATE_ARGS is set

How to set DAG_VALIDATE_ARGS

DAG_VALIDATE_ARGS can be set in the YAML front matter of the DAG configuration, in the CONF block of a custom task, or as a global system variable.

Airflow’s default behavior is to validate all user-provided data

Airflow’s default behavior is to validate all user-provided data.

Parameters Validation in Apache Airflow

The issue was fixed in version 2.2.4 by introducing a new feature: parameter validation. To enable parameter validation, set the DAG_VALIDATE_ARGS system variable to 1 . The DAG_VALIDATE_ARGS system variable can be set in the YAML front matter of the DAG configuration, in the CONF block of a custom task, or as a global system variable. When DAG_VALIDATE_ARGS is set to 1 , Apache Airflow will raise an exception if any of the following occurs: Injection of any OS command into a DAG via the command line or web UI
Injection of user-provided data into a DAG via the command line or web UI
Sanitization of user-provided data into a DAG via the command line or web UI where the data is later injected into the DAG If DAG_VALIDATE_ARGS is set to 0 , Apache Airflow will continue to perform validation, but will also raise an exception if any of the following occurs: Injection of any OS command into a DAG via the command line or web UI
Injection of user-provided data into a DAG via the command line or web UI
Sanitization of user-provided data into a DAV where the data is later injected into the DAG

Configure DAG validation for parameter validation

The following configuration snippet is for DAG validation.
# DAG parameter validation
dag_validate_args:
- 1

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe