Update dependency apache-airflow to v2.7.1 [SECURITY] #663
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.2.5
->==2.7.1
GitHub Vulnerability Alerts
CVE-2023-25695
Generation of Error Message Containing Sensitive Information vulnerability in Apache Software Foundation Apache Airflow.This issue affects Apache Airflow: before 2.5.2. The traceback contains information that might be useful for a potential attacker to better target their attack (Python/Airflow version, node name). This information should not be shown if traceback is shown to unauthenticated user.
CVE-2023-29247
Task instance details page in the UI is vulnerable to stored cross-site scripting. This issue affects Apache Airflow before 2.6.0.
CVE-2023-25754
Privilege Context Switching Error vulnerability in Apache Software Foundation Apache Airflow. This issue affects Apache Airflow: before 2.6.0.
CVE-2022-46651
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the connection to exploit it. Users should upgrade to version 2.6.3 or later which has removed the vulnerability.
CVE-2023-22887
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an attacker to perform unauthorized file access outside the intended directory structure by manipulating the run_id parameter. This vulnerability is considered low since it requires an authenticated user to exploit it. It is recommended to upgrade to a version that is not affected
CVE-2023-35908
Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows unauthorized read access to a DAG through the URL. It is recommended to upgrade to a version that is not affected
CVE-2023-36543
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
CVE-2023-39508
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0.
This issue affects Apache Airflow: before 2.6.0.
CVE-2023-40273
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has been reset by the admin - up until the expiry of the session of the user. Other than manually cleaning the session database (for database session backend), or changing the secure_key and restarting the webserver, there were no mechanisms to force-logout the user (and all other users with that).
With this fix implemented, when using the database session backend, the existing sessions of the user are invalidated when the password of the user is reset. When using the securecookie session backend, the sessions are NOT invalidated and still require changing the secure key and restarting the webserver (and logging out all other users), but the user resetting the password is informed about it with a flash message warning displayed in the UI. Documentation is also updated explaining this behaviour.
Users of Apache Airflow are advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability.
CVE-2023-37379
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection edit privileges. This vulnerability allows the user to access connection information and exploit the test connection feature by sending many requests, leading to a denial of service (DoS) condition on the server. Furthermore, malicious actors can leverage this vulnerability to establish harmful connections with the server.
Users of Apache Airflow are strongly advised to upgrade to version 2.7.0 or newer to mitigate the risk associated with this vulnerability. Additionally, administrators are encouraged to review and adjust user permissions to restrict access to sensitive functionalities, reducing the attack surface.
CVE-2023-39441
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validation of OpenSSL Certificate vulnerability.
The default SSL context with SSL library did not check a server's X.509 certificate. Instead, the code accepted any certificate, which could result in the disclosure of mail server credentials or mail contents when the client connects to an attacker in a MITM position.
Users are strongly advised to upgrade to Apache Airflow version 2.7.0 or newer, Apache Airflow IMAP Provider version 3.3.0 or newer, and Apache Airflow SMTP Provider version 1.3.0 or newer to mitigate the risk associated with this vulnerability
CVE-2023-40611
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.
Users should upgrade to version 2.7.1 or later which has removed the vulnerability.
CVE-2023-40712
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI.
Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability.
Release Notes
apache/airflow (apache-airflow)
v2.7.1
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
CronTriggerTimetable is now less aggressive when trying to skip a run (#33404)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
When setting
catchup=False
, CronTriggerTimetable no longer skips a run ifthe scheduler does not query the timetable immediately after the previous run
has been triggered.
This should not affect scheduling in most cases, but can change the behaviour if
a DAG is paused-unpaused to manually skip a run. Previously, the timetable (with
catchup=False
) would only start a run after a DAG is unpaused, but with thischange, the scheduler would try to look at little bit back to schedule the
previous run that covers a part of the period when the DAG was paused. This
means you will need to keep a DAG paused longer (namely, for the entire cron
period to pass) to really skip a run.
Note that this is also the behaviour exhibited by various other cron-based
scheduling tools, such as
anacron
.conf.set()
becomes case insensitive to matchconf.get()
behavior (#33452)"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Also,
conf.get()
will now break if used with non-string parameters.conf.set(section, key, value)
used to be case sensitive, i.e.conf.set("SECTION", "KEY", value)
and
conf.set("section", "key", value)
were stored as two distinct configurations.This was inconsistent with the behavior of
conf.get(section, key)
, which was always converting the section and key to lower case.As a result, configuration options set with upper case characters in the section or key were unreachable.
That's why we are now converting section and key to lower case in
conf.set
too.We also changed a bit the behavior of
conf.get()
. It used to allow objects that are not strings in the section or key.Doing this will now result in an exception. For instance,
conf.get("section", 123)
needs to be replaced withconf.get("section", "123")
.Bug Fixes
"""""""""
MappedTaskGroup
tasks not respecting upstream dependency (#33732)SECURITY_MANAGER_CLASS
should be a reference to class, not a string (#33690)get_url_for_login
in security manager (#33660)2.7.0 db
migration job errors (#33652)groupby
in TIS duration calculation (#33535)dialect.name
in custom SA types (#33503)end_date
is less thanutcnow
(#33488)formatDuration
method (#33486)conf.set
case insensitive (#33452)soft_fail
argument whenpoke
is called (#33401)processor_subdir
(#33357)<br>
text in Provider's view (#33326)soft_fail
argument when ExternalTaskSensor runs in deferrable mode (#33196)expand_kwargs
method (#32272)Misc/Internal
"""""""""""""
Pydantic
1 compatibility (#34081, #33998)Pydantic
2 (#33956)devel_only
extra in Airflow's setup.py (#33907)FAB
to4.3.4
in order to fix issues with filters (#33931)sqlalchemy to 1.4.24
(#33892)OrderedDict
with plain dict (#33508)#33568, #33480, #33753, #33520, #33623)
Pydantic
warning aboutorm_mode
rename (#33220)Pydantic
limitation for version < 2 (#33507)Doc only changes
"""""""""""""""""
v2.7.0
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
Remove Python 3.7 support (#30963)
""""""""""""""""""""""""""""""""""
As of now, Python 3.7 is no longer supported by the Python community.
Therefore, to use Airflow 2.7.0, you must ensure your Python version is
either 3.8, 3.9, 3.10, or 3.11.
Old Graph View is removed (#32958)
""""""""""""""""""""""""""""""""""
The old Graph View is removed. The new Graph View is the default view now.
The trigger UI form is skipped in web UI if no parameters are defined in a DAG (#33351)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
If you are using
dag_run.conf
dictionary and web UI JSON entry to run your DAG you should either:Add params to your DAG <https://airflow.apache.org/docs/apache-airflow/stable/core-concepts/params.html#use-params-to-provide-a-trigger-ui-form>
_show_trigger_form_if_no_params
to bring back old behaviourThe "db init", "db upgrade" commands and "[database] load_default_connections" configuration options are deprecated (#33136).
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Instead, you should use "airflow db migrate" command to create or upgrade database. This command will not create default connections.
In order to create default connections you need to run "airflow connections create-default-connections" explicitly,
after running "airflow db migrate".
In case of SMTP SSL connection, the context now uses the "default" context (#33070)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
The "default" context is Python's
default_ssl_contest
instead of previously used "none". Thedefault_ssl_context
provides a balance between security and compatibility but in some cases,when certificates are old, self-signed or misconfigured, it might not work. This can be configured
by setting "ssl_context" in "email" configuration of Airflow.
Setting it to "none" brings back the "none" setting that was used in Airflow 2.6 and before,
but it is not recommended due to security reasons ad this setting disables validation of certificates and allows MITM attacks.
Disable default allowing the testing of connections in UI, API and CLI(#32052)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
For security reasons, the test connection functionality is disabled by default across Airflow UI,
API and CLI. The availability of the functionality can be controlled by the
test_connection
flag in thecore
section of the Airflowconfiguration (
airflow.cfg
). It can also be controlled by theenvironment variable
AIRFLOW__CORE__TEST_CONNECTION
.The following values are accepted for this config param:
Disabled
: Disables the test connection functionality anddisables the Test Connection button in the UI.
This is also the default value set in the Airflow configuration.
2.
Enabled
: Enables the test connection functionality andactivates the Test Connection button in the UI.
Hidden
: Disables the test connection functionality andhides the Test Connection button in UI.
For more information on capabilities of users, see the documentation:
https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html#capabilities-of-authenticated-ui-users
It is strongly advised to not enable the feature until you make sure that only
highly trusted UI/API users have "edit connection" permissions.
The
xcomEntries
API disables support for thedeserialize
flag by default (#32176)"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
For security reasons, the
/dags/*/dagRuns/*/taskInstances/*/xcomEntries/*
API endpoint now disables the
deserialize
option to deserialize arbitraryXCom values in the webserver. For backward compatibility, server admins may set
the
[api] enable_xcom_deserialize_support
config to True to enable theflag and restore backward compatibility.
However, it is strongly advised to not enable the feature, and perform
deserialization at the client side instead.
Change of the default Celery application name (#32526)
""""""""""""""""""""""""""""""""""""""""""""""""""""""
Default name of the Celery application changed from
airflow.executors.celery_executor
toairflow.providers.celery.executors.celery_executor
.You should change both your configuration and Health check command to use the new name:
celery_app_name
configuration incelery
section) useairflow.providers.celery.executors.celery_executor
airflow.providers.celery.executors.celery_executor.app
The default value for
scheduler.max_tis_per_query
is changed from 512 to 16 (#32572)""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
This change is expected to make the Scheduler more responsive.
scheduler.max_tis_per_query
needs to be lower thancore.parallelism
.If both were left to their default value previously, the effective default value of
scheduler.max_tis_per_query
was 32(because it was capped at
core.parallelism
).To keep the behavior as close as possible to the old config, one can set
scheduler.max_tis_per_query = 0
,in which case it'll always use the value of
core.parallelism
.Some executors have been moved to corresponding providers (#32767)
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
In order to use the executors, you need to install the providers:
apache-airflow-providers-celery
package >= 3.3.0apache-airflow-providers-cncf-kubernetes
package >= 7.4.0apache-airflow-providers-daskexecutor
package in any versionYou can achieve it also by installing airflow with
[celery]
,[cncf.kubernetes]
,[daskexecutor]
extras respectively.Users who base their images on the
apache/airflow
reference image (not slim) should be unaffected - the basereference image comes with all the three providers installed.
Improvement Changes
^^^^^^^^^^^^^^^^^^^
PostgreSQL only improvement: Added index on taskinstance table (#30762)
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
This index seems to have great positive effect in a setup with tens of millions such rows.
New Features
""""""""""""
AIP-49 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-49+milestone%3A%22Airflow+2.7.0%22>
_)AIP-51 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-51+milestone%3A%22Airflow+2.7.0%22>
_)AIP-52 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-52+milestone%3A%22Airflow+2.7.0%22>
_)AIP-53 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+milestone%3A%22Airflow+2.7.0%22+label%3Aprovider%3Aopenlineage>
_)BranchExternalPythonOperator
(#32787, #33360)Per-LocalTaskJob
Configuration (#32313)AirflowClusterPolicySkipDag
exception (#32013)reactflow
for datasets graph (#31775)chain
which doesn't require matched lists (#31927)--retry
and--retry-delay
toairflow db check
(#31836)section
query param in get config rest API (#30936)Scheduled->Queued->Running
task state transition times (#30612)Improvements
""""""""""""
db upgrade
todb migrate
and addconnections create-default-connections
(#32810, #33136)<=
parallelism (#32572)isdisjoint
instead ofnot intersection
(#32616)dag_processor
status. (#32382)[triggers.running]
(#32050)TriggerDagRunOperator
: Addwait_for_completion
totemplate_fields
(#31122)PythonVirtualenvOperator
termination log in alert (#31747)airflow db
commands to SQLAlchemy 2.0 style (#31486)validators
into their own modules (#30802)get_log
api (#30729)Bug Fixes
"""""""""
Gantt chart:
Use earliest/oldest ti dates if different than dag run start/end (#33215)virtualenv
detection for Pythonvirtualenv
operator (#33223)chmod
airflow.cfg
(#33118)max_active_runs
reached its upper limit. (#31414)get_task_instances
query (#33054)$ref
(#32887)PythonOperator
sub-classes extend its decorator (#32845)virtualenv
is installed inPythonVirtualenvOperator
(#32939)__iter__
in is_container() (#32850)dagRunTimeout
(#32565)/blocked
endpoint (#32571)cli.dags.trigger
command output (#32548)whitespaces
from airflow connections form (#32292)readonly
property in our API (#32510)resizer
would not expanse grid view (#31581)type_
arg to drop_constraint (#31306)drop_constraint
call in migrations (#31302)requirepass
redis sentinel (#30352)/config
(#31057)Misc/Internal
"""""""""""""
dag_processing
(#33161)Pydantic
to< 2.0.0
(#33235)cncf.kubernetes
provider (#32767, #32891)pydocstyle
check - core Airflow only (#31297)1.2.3 to 1.2.4
in/airflow/www
(#32680)6.3.0 to 6.3.1
in/airflow/www
(#32506)4.18.0
(#32445)stylelint
from13.13.1 to 15.10.1
in/airflow/www
(#32435)4.0.0 to 4.1.3
in/airflow/www
(#32443)Pydantic
2 (#32366)enums
(#31735)0.272
(#31966)asynctest
(#31664)2.0
style (#31569, #31772, #32350, #32339, #32474, #32645)3.7
support (#30963)0.0.262
(#30809)1.2.0
(#30687)Docs only changes
"""""""""""""""""
DAGRun / DAG / Task
in templates-ref.rst (#33013)v2.6.3
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
Default allowed pattern of a run_id has been changed to
^[A-Za-z0-9_.~:+-]+$
(#32293).""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
Previously, there was no validation on the run_id string. There is now a validation regex that
can be set by configuring
allowed_run_id_pattern
inscheduler
section.Bug Fixes
"""""""""
DagRun.run_id
and allow flexibility (#32293)executor_class
from Job - fixing backfill for custom executors (#32219)mapIndex
to display extra links per mapped task. (#32154)re2
for matching untrusted regex (#32060)dag_dependencies
in serialized dag (#32037)None
if an XComArg fails to resolve in a multiple_outputs Task (#32027)rendered-templates
when map index is not found (#32011)ExternalTaskSensor
when there is no task group TIs for the current execution date (#32009)operator_extra_links
property serialization in mapped tasks (#31904)xcom_pull
andinlets
(#31128)on_failure_callback
is not invoked when task failed during testing dag. (#30965)ExternalPythonOperator
and debug logging level (#30367)Misc/Internal
"""""""""""""
task.sensor
annotation in type stub (#31954)Pydantic
to< 2.0.0
until we solve2.0.0
incompatibilities (#32312)Pydantic
2 pickiness about model definition (#32307)Doc only changes
""""""""""""""""
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.