logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-47qg-q58v-7vrp amundsen-frontend

Package

Manager: pip
Name: amundsen-frontend
Vulnerable Version: =2.3.0 || >=2.3.0 <3.1.0 || =3.0.0 || >=3.0.0 <3.1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend ### Impact Any install that has `UNEDITABLE_SCHEMAS` and/or `UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES` set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be. ### Patches There is an attached PR that applies this restriction on the back-end. ### Workarounds N/A ### References N/A ### For more information If you have any questions or comments about this advisory: * Email us at [amundsen-security@lists.lfaidata.foundation](mailto:amundsen-security@lists.lfaidata.foundation) ### More details Summary: I believe that UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the front-end, not on the frontend service back-end, allowing any user to modify table and column descriptions even if this configuration parameter is set. Repro steps: 1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch amundsensearch amundsenmetadata 2. python example/scripts/sample_data_loader.py 3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig PYTHONPATH=. python3 amundsen_application/wsgi.py 4. Attempt a modification to a table description: curl '<http://localhost:5000/api/metadata/v0/put_table_description>' \\\\ -X 'PUT' \\\\ -H 'Content-Type: application/json;charset=UTF-8' \\\\ --data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}' {"msg":"Success"} 5. This correctly succeeds, which can be validated by GETing the info: curl '<http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1>' {"description":"1st test table","msg":"Success"} At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS = set(['test_schema']) You can now re-run step 4, and step 5 with different data, and confirm that the modification has persisted. If you build and run the UI, you can see that on the page <http://localhost:5000/table_detail/gold/hive/test_schema/test_table1> http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the inline editor is correctly disabled. Looking at amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268 put_table_description, you can see there's no reference to UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES. The only place I can find these referenced is in amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full, which would explain why the UI is correctly respecting this setting. If this is correct, put_column_description would also be similarly affected. I believe the correct fix for all of these methods is to load the table, run it through marshall_dashboard_partial to fully evaluate what's editable or not (to reuse the same code path for FE and back-end), and reject the response if it's not editable. I'll implement a fix along these lines once someone confirms this. History: This functionality was introduced in <https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files> https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July 9, corresponding to the 2.3.0 release of amundsenfrontend. That release was introduced into the main repo dockerfile on October 28 in <https://github.com/amundsen-io/amundsen/pull/785> https://github.com/amundsen-io/amundsen/pull/785

Metadata

Created: 2020-12-02T18:28:10Z
Modified: 2020-12-02T02:18:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-47qg-q58v-7vrp/GHSA-47qg-q58v-7vrp.json
CWE IDs: ["CWE-602"]
Alternative ID: N/A
Finding: F115
Auto approve: 1