Skip to content

Latest commit

 

History

History
100 lines (83 loc) · 5.6 KB

threat-modeling.md

File metadata and controls

100 lines (83 loc) · 5.6 KB

Threat Model Analysis for apache/airflow

Threat: Weak Webserver Authentication

  • Description: Attacker gains unauthorized access to the Airflow webserver by exploiting default or weak authentication. This allows them to control Airflow through the UI and API.
  • Impact: Full control of Airflow, including viewing sensitive data, modifying DAGs, triggering workflows, and potential infrastructure compromise.
  • Affected Airflow Component: Webserver (Authentication module)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Implement strong authentication (OAuth 2.0, LDAP, Kerberos).
    • Enforce strong password policies.
    • Enable HTTPS.
    • Disable default accounts.

Threat: Cross-Site Scripting (XSS) in Webserver UI

  • Description: Attacker injects malicious JavaScript into the Airflow UI via user inputs. When other users view the UI, the script executes.
  • Impact: Session hijacking, credential theft, UI defacement, unauthorized actions within Airflow on behalf of victim users.
  • Affected Airflow Component: Webserver (UI components)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement strict input sanitization and output encoding in the UI.
    • Use Content Security Policy (CSP).
    • Regularly update Airflow to patch XSS vulnerabilities.

Threat: DAG Parsing Code Execution

  • Description: Attacker crafts malicious DAG files to exploit parsing vulnerabilities, leading to code execution on the scheduler during DAG loading.
  • Impact: Arbitrary code execution on the scheduler server, full system compromise, data breaches, denial of service.
  • Affected Airflow Component: Scheduler (DAG parsing module)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Restrict DAG folder access.
    • Implement DAG code review.
    • Run scheduler with least privilege.
    • Update Airflow regularly.
    • Consider DAG serialization.

Threat: Malicious Code Execution in Tasks

  • Description: Attacker introduces malicious Python code within DAG tasks, executing on worker nodes during task runtime.
  • Impact: Arbitrary code execution on workers, data breaches, data manipulation, denial of service, compromise of connected systems.
  • Affected Airflow Component: Executor, Workers (Task execution environment)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Strict DAG code review.
    • Secure coding practices in DAGs.
    • Run workers with least privilege.
    • Use containerization for task isolation.
    • Scan DAG dependencies for vulnerabilities.

Threat: SQL Injection in Metadata Database

  • Description: Attacker injects malicious SQL queries through Airflow components interacting with the metadata database.
  • Impact: Data breaches from the metadata database, data manipulation, denial of service via database compromise.
  • Affected Airflow Component: Webserver, Scheduler (Database interaction layer)
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Use parameterized queries or ORM.
    • Strict input validation.
    • Regularly update Airflow and database drivers.
    • Security testing for SQL injection.
    • Database access controls.

Threat: Exposure of Connection Credentials

  • Description: Attacker gains access to connection credentials stored insecurely within Airflow configurations or variables.
  • Impact: Unauthorized access to connected systems, data breaches, data manipulation, service disruption in external systems.
  • Affected Airflow Component: Connections management, Variables management
  • Risk Severity: High
  • Mitigation Strategies:
    • Use a secrets backend (Vault, AWS Secrets Manager, etc.).
    • Avoid storing credentials in DAG code or variables directly.
    • Encrypt connection details in the metadata database.
    • Implement access controls for connections.

Threat: Insecure Secrets Management

  • Description: Attacker exploits weak secrets management practices in Airflow, such as weak encryption or insecure storage.
  • Impact: Exposure of sensitive secrets (credentials, API keys), leading to unauthorized access and system compromise.
  • Affected Airflow Component: Secrets backend integration, Configuration management
  • Risk Severity: High
  • Mitigation Strategies:
    • Utilize a robust secrets management solution.
    • Encrypt secrets at rest and in transit.
    • Implement strong access controls for secrets.
    • Regularly audit secrets management.

Threat: Dependency Vulnerabilities in DAGs

  • Description: DAGs rely on vulnerable Python packages. Attackers exploit these vulnerabilities present in the worker environment.
  • Impact: Code execution on workers or scheduler, denial of service, data breaches depending on the vulnerability.
  • Affected Airflow Component: Workers, Scheduler (Dependency management)
  • Risk Severity: High
  • Mitigation Strategies:
    • Implement dependency scanning and vulnerability management.
    • Use dependency pinning.
    • Regularly update DAG dependencies.
    • Use virtual environments or containerization for dependency isolation.