Update dependency apache-airflow to v2.8.0 [SECURITY] #3572
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.7.3
->==2.8.0
GitHub Vulnerability Alerts
CVE-2023-49920
Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent.
Users are advised to upgrade to version 2.8.0 or later which is not affected
CVE-2023-47265
Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. While this issue does not allow to exit the browser sandbox or manipulation of the server-side data - more than the DAG author already has, it allows to modify what the user looking at the DAG details sees in the browser - which opens up all kinds of possibilities of misleading other users.
Users of Apache Airflow are recommended to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability
CVE-2023-50783
Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable.
This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification.
Users are recommended to upgrade to 2.8.0, which fixes this issue.
CVE-2023-48291
Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't.
This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2
Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability.
Release Notes
apache/airflow (apache-airflow)
v2.8.0
Compare Source
Significant Changes
^^^^^^^^^^^^^^^^^^^
Raw HTML code in DAG docs and DAG params descriptions is disabled by default
To ensure that no malicious javascript can be injected with DAG descriptions or trigger UI forms by DAG authors
a new parameter
webserver.allow_raw_html_descriptions
was added with default value ofFalse
.If you trust your DAG authors code and want to allow using raw HTML in DAG descriptions and params, you can restore the previous
behavior by setting the configuration value to
True
.To ensure Airflow is secure by default, the raw HTML support in trigger UI has been super-seeded by markdown support via
the
description_md
attribute. If you have been usingdescription_html
please migrate todescription_md
.The
custom_html_form
is now deprecated. (#35460)New Features
""""""""""""
AIP-58 <https://github.com/apache/airflow/pulls?q=is%3Apr+is%3Amerged+label%3AAIP-58+milestone%3A%22Airflow+2.8.0%22>
_)prev_end_date_success
method access (#34528)List Task Instances
view (#34529)clear_number
to track DAG run being cleared (#34126)Improvements
""""""""""""
multiselect
to run state in grid view (#35403)Connection.get_hook
in case of ImportError (#36005)taskinstance
(#35810)AIRFLOW_CONFIG
path (#35818)JSON-string
connection representation generator (#35723)BaseOperatorLink
into the separate module (#35032)cbreak
inexecute_interactive
and handleSIGINT
(#35602)synchronize_log_template
function (#35366)BaseOperatorLink.operators
(#35003)SA2-compatible
syntax for TaskReschedule (#33720)EventScheduler
(#34808)update_forward_refs
(#34657)Dataset
fromairflow
package in codebase (#34610)airflow.datasets.Dataset
in examples and tests (#34605)version
top-level element from docker compose files (#33831)NOT EXISTS
subquery instead oftuple_not_in_condition
(#33527)triggerer_heartbeat
(#33320)airflow variables export
to print to stdout (#33279)Bug Fixes
"""""""""
reset_user_sessions
to work from either CLI or web (#36056)overscroll
behaviour to auto (#35717)borderWidthRight
to grid for Firefoxscrollbar
(#35346)processor_subdir
in serialized_dag table (#35661)get_dag_by_pickle
util function (#35339)mappedoperator
(#35257)Literal
fromtyping_extensions
(#33794)Miscellaneous
"""""""""""""
4.3.10
(#35991)Connection.to_json_dict
toConnection.to_dict
(#35894)moto
version to>= 4.2.9
(#35687)pyarrow-hotfix
to mitigate CVE-2023-47248 (#35650)axios
from0.26.0 to 1.6.0
in/airflow/www/
(#35624)navbar_text_color
andrm
condition in style (#35553)dag_next_execution
(#35539)TCH004
andTCH005
rules (#35475)AirflowException
from airflow (#34541)postcss
from8.4.25 to 8.4.31
in/airflow/www
(#34770)airflow.models.dag.DAG
in examples (#34617)#33801, #33799, #33800, #33797, #33798, #34406, #33808)
Doc Only Changes
""""""""""""""""
re2
regex engine in the .airflowignore documentation. (#35663)best-practices.rst
(#35692)dag-run.rst
to mention Airflow's support for extended cron syntax through croniter (#35342)webserver.rst
to include information of supported OAuth2 providers (#35237)rst
code block format (#34708)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.