Skip to content

Add CSRF protection to "/logout" #40145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
potiuk merged 1 commit into from
Jun 12, 2024
Merged

Add CSRF protection to "/logout" #40145

potiuk merged 1 commit into from
Jun 12, 2024

Conversation

@shahar1
Copy link
Contributor

@shahar1 shahar1 commented Jun 8, 2024
edited
Loading

closes: #33030

cc: @potiuk, @eladkal

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@boring-cyborg boring-cyborg bot added area:providers area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues provider:fab labels Jun 8, 2024
shahar1
shahar1 commented Jun 8, 2024
View reviewed changes
@shahar1 shahar1 force-pushed the add-csrf-protection-to-logout branch 2 times, most recently from 2d7834b to 3b44edf Compare June 8, 2024 21:10
@shahar1
Copy link
Contributor Author

shahar1 commented Jun 8, 2024

General question - Should Non-DB tests for FAB provider be skipped? (currently they fail)

@potiuk
Copy link
Member

potiuk commented Jun 9, 2024

General question - Should Non-DB tests for FAB provider be skipped? (currently they fail)

I think by modifying logout and adding decorator, some of the tests simply started requiring database - have not looked in detail, but that's essentially what is happening here. I guess it can be fixed by changing the test code to not trigger DB operations in those tests (preferrable) or marking them as db_tests.

potiuk
potiuk reviewed Jun 9, 2024
View reviewed changes
@shahar1
Copy link
Contributor Author

shahar1 commented Jun 9, 2024

General question - Should Non-DB tests for FAB provider be skipped? (currently they fail)

I think by modifying logout and adding decorator, some of the tests simply started requiring database - have not looked in detail, but that's essentially what is happening here. I guess it can be fixed by changing the test code to not trigger DB operations in those tests (preferrable) or marking them as db_tests.

It makes sense, I'll check it out

@shahar1 shahar1 force-pushed the add-csrf-protection-to-logout branch from 3b44edf to 3bd6d6e Compare June 11, 2024 14:18
potiuk
potiuk reviewed Jun 11, 2024
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we also need a newsfragment for that one. While it can be treated as 'security fix" it also potentially breaks somoene workflow if they have some non-CSRF logout integrated somewhere in their setup.

@shahar1
Copy link
Contributor Author

shahar1 commented Jun 11, 2024
edited
Loading

I think we also need a newsfragment for that one. While it can be treated as 'security fix" it also potentially breaks somoene workflow if they have some non-CSRF logout integrated somewhere in their setup.

I will add one.
I also checked locally - I managed to reproduce the errors, with or without the change, when running the following command:
breeze testing non-db-tests --parallel-test-types "Always Providers[fab] WWW"

So I see no other good choice, but marking test_role_and_permission_endpoint.py as a db test.

@potiuk
Copy link
Member

potiuk commented Jun 11, 2024

So I see no other good choice, but marking test_role_and_permission_endpoint.py as a db test.

Yep. Saw the marker. Indeed that's simpler.

@shahar1 shahar1 force-pushed the add-csrf-protection-to-logout branch 4 times, most recently from 8806141 to 3c9847a Compare June 12, 2024 12:14
@shahar1 shahar1 force-pushed the add-csrf-protection-to-logout branch from 3c9847a to 4c19e19 Compare June 12, 2024 12:20
@shahar1 shahar1 requested a review from potiuk June 12, 2024 12:20
@eladkal eladkal added this to the Airflow 2.10.0 milestone Jun 12, 2024
@eladkal eladkal added the type:improvement Changelog: Improvements label Jun 12, 2024
@potiuk potiuk merged commit 14deaa2 into apache:main Jun 12, 2024
@shahar1 shahar1 deleted the add-csrf-protection-to-logout branch June 12, 2024 16:29
@shahar1 shahar1 mentioned this pull request Jun 12, 2024
Merged
shahar1 added a commit to shahar1/airflow that referenced this pull request Jun 12, 2024
@shahar1
Fix TS linting issues caused by apache#40145
3f42a0a
potiuk pushed a commit that referenced this pull request Jun 12, 2024
@shahar1
Fix TS linting issues caused by #40145 (#40202)
28c1419
@eladkal eladkal mentioned this pull request Jun 22, 2024
Closed
96 tasks
@potiuk potiuk mentioned this pull request Jun 28, 2024
Closed
2 tasks
@potiuk potiuk mentioned this pull request Jul 15, 2024
Merged
romsharon98 pushed a commit to romsharon98/airflow that referenced this pull request Jul 26, 2024
@shahar1 @romsharon98
Add CSRF protection to "/logout" (apache#40145)
8e9ddd3
romsharon98 pushed a commit to romsharon98/airflow that referenced this pull request Jul 26, 2024
@shahar1 @romsharon98
Fix TS linting issues caused by apache#40145 (apache#40202)
9dff73a
@tirkarthi tirkarthi mentioned this pull request Aug 19, 2024
Closed
2 tasks
@shahar1 shahar1 mentioned this pull request Dec 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@potiuk potiuk potiuk approved these changes

@eladkal eladkal eladkal approved these changes

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton

@ashb ashb Awaiting requested review from ashb

@bbovenzi bbovenzi Awaiting requested review from bbovenzi

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun

Assignees

No one assigned

Labels

area:providers area:UI Related to UI/UX. For Frontend Developers. area:webserver Webserver related Issues provider:fab type:improvement Changelog: Improvements

Projects

None yet

Milestone

Airflow 2.10.0

Development

Successfully merging this pull request may close these issues.

Add CSRF protection to "/logout"

4 participants

@shahar1 @potiuk @bbovenzi @eladkal