[AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY

It's recommended by Falsk community to use random SECRET_KEY for security reason. However, in Airflow there is a default value for secret_key and most users will ignore to change it. This may cause security concern. Closes #3651 from XD-DENG/patch-2
apache · Jul 29, 2018 · dfa7b26 · dfa7b26
1 parent fcd51f3
commit dfa7b26
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/airflow/www/app.py b/airflow/www/app.py
@@ -18,6 +18,7 @@
 # under the License.
 #
 import six
+import os
 
 from flask import Flask
 from flask_admin import Admin, base
@@ -43,9 +44,18 @@
 
 
 def create_app(config=None, testing=False):
+
+    log = LoggingMixin().log
+
     app = Flask(__name__)
     app.wsgi_app = ProxyFix(app.wsgi_app)
-    app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
+
+    if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
+
     app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean(
         'webserver', 'AUTHENTICATE')
 
@@ -127,7 +137,6 @@ def create_app(config=None, testing=False):
 
         def integrate_plugins():
             """Integrate plugins to the context"""
-            log = LoggingMixin().log
             from airflow.plugins_manager import (
                 admin_views, flask_blueprints, menu_links)
             for v in admin_views: