Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CSRF protection to "/logout" #33030

Closed
1 task done
potiuk opened this issue Aug 2, 2023 · 6 comments · Fixed by #40145
Closed
1 task done

Add CSRF protection to "/logout" #33030

potiuk opened this issue Aug 2, 2023 · 6 comments · Fixed by #40145
Assignees
@shahar1
Labels
area:webserver Webserver related Issues good first issue kind:meta High-level information important to the community priority:low Bug with a simple workaround that would not block a release

Comments

@potiuk
Copy link
Member

potiuk commented Aug 2, 2023

Body

The /logout endpoint has no CSRF protection. This is not a security issue, because the user is logged out when the CSRF protection is in-place, but it is a potential issue as the user might get logged out by a 3rd-party tab opened (potentially),

Would be great to take a look and fix it.

Committer

  • I acknowledge that I am a maintainer/committer of the Apache Airflow project.
@potiuk potiuk added area:webserver Webserver related Issues good first issue kind:meta High-level information important to the community priority:low Bug with a simple workaround that would not block a release labels Aug 2, 2023
@moulibrota-das
Copy link

I am new to this project and quiet interested in this issue. Can you help me locate the endpoint. I couldn't find it.

@potiuk
Copy link
Member Author

potiuk commented Aug 2, 2023

I think it comes with Flask Application Builder.

@hterik
Copy link
Contributor

hterik commented Oct 25, 2023

Will this interfere with single-sign-out, when using Oauth2 or Saml login?
If a user logs out from the IDP, the IDP somehow need to notify Airflow to clear the the session, that's done by configuring a logout-url in the IDP.

@veginati
Copy link

veginati commented Feb 6, 2024

@potiuk is this issue resolved ? or can I give it a try ?

@veginati
Copy link

veginati commented Feb 6, 2024

@potiuk could you pleas assign any good first issue tickets.

@potiuk
Copy link
Member Author

potiuk commented Feb 6, 2024

Not solved - give it a try. Generally look for good first issues and pick some that you think will be good for you. It's hard to give individual advices.

@shahar1 shahar1 self-assigned this Jun 8, 2024
This was referenced Jun 8, 2024
Open
Merged
@eladkal eladkal mentioned this issue Jun 22, 2024
Closed
96 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shahar1 shahar1

Labels
area:webserver Webserver related Issues good first issue kind:meta High-level information important to the community priority:low Bug with a simple workaround that would not block a release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add CSRF protection to "/logout" shahar1/airflow
5 participants
@potiuk @veginati @shahar1 @moulibrota-das @hterik