Fix failing get_safe_url tests for latest Python 3.8 and 3.9 (#31766)

potiuk · Elad Kalif · commit 5b41ed8209d9 · 2023-06-08T11:26:03.000+03:00
The latest release of Python 3.8 and 3.9 have been just released that contain the fix to a security vulnerability backported to those versions: python/cpython#102153 Release notes: * https://www.python.org/downloads/release/python-3817/ * https://www.python.org/downloads/release/python-3917/ The fix improved sanitizing of the URLs and until Python 3.10 and 3.11 get released, we need to add the sanitization ourselves to pass tests on all versions. In order to improve security of airflow users and make the tests work regardless whether the users have latest Python versions released, we add extra sanitisation step to the URL to apply the standard WHATWG specification. (cherry picked from commit 87c5c9f)
diff --git a/airflow/www/views.py b/airflow/www/views.py
@@ -162,6 +162,27 @@ def sanitize_args(args: dict[str, str]) -> dict[str, str]:
     return {key: value for key, value in args.items() if not key.startswith("_")}
 
 
+# Following the release of https://github.com/python/cpython/issues/102153 in Python 3.8.17 and 3.9.17 on
+# June 6, 2023, we are adding extra sanitization of the urls passed to get_safe_url method to make it works
+# the same way regardless if the user uses latest Python patchlevel versions or not. This also follows
+# a recommended solution by the Python core team.
+#
+# From: https://github.com/python/cpython/commit/d28bafa2d3e424b6fdcfd7ae7cde8e71d7177369
+#
+#   We recommend that users of these APIs where the values may be used anywhere
+#   with security implications code defensively. Do some verification within your
+#   code before trusting a returned component part.  Does that ``scheme`` make
+#   sense?  Is that a sensible ``path``?  Is there anything strange about that
+#   ``hostname``?  etc.
+#
+# C0 control and space to be stripped per WHATWG spec.
+# == "".join([chr(i) for i in range(0, 0x20 + 1)])
+_WHATWG_C0_CONTROL_OR_SPACE = (
+    "\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b\x0c"
+    "\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f "
+)
+
+
 def get_safe_url(url):
     """Given a user-supplied URL, ensure it points to our web server"""
     if not url:
@@ -172,6 +193,8 @@ def get_safe_url(url):
     if ";" in unquote(url):
         return url_for("Airflow.index")
 
+    url = url.lstrip(_WHATWG_C0_CONTROL_OR_SPACE)
+
     host_url = urlsplit(request.host_url)
     redirect_url = urlsplit(urljoin(request.host_url, url))
     if not (redirect_url.scheme in ("http", "https") and host_url.netloc == redirect_url.netloc):
diff --git a/tests/www/views/test_views.py b/tests/www/views/test_views.py
@@ -181,7 +181,7 @@ def test_task_dag_id_equals_filter(admin_client, url, content):
     [
         ("", "/home"),
         ("javascript:alert(1)", "/home"),
-        (" javascript:alert(1)", "http://localhost:8080/ javascript:alert(1)"),
+        (" javascript:alert(1)", "/home"),
         ("http://google.com", "/home"),
         ("google.com", "http://localhost:8080/google.com"),
         ("\\/google.com", "http://localhost:8080/\\/google.com"),

Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,7 @@ def test_task_dag_id_equals_filter(admin_client, url, content):`
`181`	`181`	`[`
`182`	`182`	`("", "/home"),`
`183`	`183`	`("javascript:alert(1)", "/home"),`
`184`		`- (" javascript:alert(1)", "http://localhost:8080/ javascript:alert(1)"),`
	`184`	`+ (" javascript:alert(1)", "/home"),`
`185`	`185`	`("http://google.com", "/home"),`
`186`	`186`	`("google.com", "http://localhost:8080/google.com"),`
`187`	`187`	`("\\/google.com", "http://localhost:8080/\\/google.com"),`