GHSA-47QG-Q58V-7VRP

Vulnerability from github – Published: 2020-12-02 18:28 – Updated: 2020-12-02 02:18
VLAI?
Summary
UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend
Details

Impact

Any install that has UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.

Patches

There is an attached PR that applies this restriction on the back-end.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory: * Email us at amundsen-security@lists.lfaidata.foundation

More details

Summary: I believe that UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the front-end, not on the frontend service back-end, allowing any user to modify table and column descriptions even if this configuration parameter is set.

Repro steps:

  1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch amundsensearch amundsenmetadata
  2. python example/scripts/sample_data_loader.py
  3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig PYTHONPATH=. python3 amundsen_application/wsgi.py
  4. Attempt a modification to a table description:

curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\ -X 'PUT' \\ -H 'Content-Type: application/json;charset=UTF-8' \\ --data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}' {"msg":"Success"}

  1. This correctly succeeds, which can be validated by GETing the info:

curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1' {"description":"1st test table","msg":"Success"}

At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS = set(['test_schema'])

You can now re-run step 4, and step 5 with different data, and confirm that the modification has persisted. If you build and run the UI, you can see that on the page http://localhost:5000/table_detail/gold/hive/test_schema/test_table1 http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the inline editor is correctly disabled.

Looking at amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268 put_table_description, you can see there's no reference to UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.

The only place I can find these referenced is in amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full, which would explain why the UI is correctly respecting this setting.

If this is correct, put_column_description would also be similarly affected.

I believe the correct fix for all of these methods is to load the table, run it through marshall_dashboard_partial to fully evaluate what's editable or not (to reuse the same code path for FE and back-end), and reject the response if it's not editable. I'll implement a fix along these lines once someone confirms this.

History: This functionality was introduced in https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July 9, corresponding to the 2.3.0 release of amundsenfrontend. That release was introduced into the main repo dockerfile on October 28 in https://github.com/amundsen-io/amundsen/pull/785 https://github.com/amundsen-io/amundsen/pull/785

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "amundsen-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.3.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "amundsen-frontend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-602"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-12-02T02:18:42Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nAny install that has `UNEDITABLE_SCHEMAS` and/or `UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES` set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn\u0027t be.\n\n### Patches\nThere is an attached PR that applies this restriction on the back-end.\n\n### Workarounds\nN/A\n\n### References\nN/A\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [amundsen-security@lists.lfaidata.foundation](mailto:amundsen-security@lists.lfaidata.foundation)\n\n### More details\nSummary: I believe that UNEDITABLE_SCHEMAS and\nUNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the\nfront-end, not on the frontend service back-end, allowing any user to\nmodify table and column descriptions even if this configuration parameter\nis set.\n\nRepro steps:\n\n1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch\namundsensearch amundsenmetadata\n2. python example/scripts/sample_data_loader.py\n3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig\nPYTHONPATH=. python3 amundsen_application/wsgi.py\n4. Attempt a modification to a table description:\n\ncurl \u0027\u003chttp://localhost:5000/api/metadata/v0/put_table_description\u003e\u0027 \\\\\\\\\n-X \u0027PUT\u0027 \\\\\\\\\n-H \u0027Content-Type: application/json;charset=UTF-8\u0027 \\\\\\\\\n--data-binary \u0027{\"description\":\"2t test table\",\"key\":\"hive://gold.test_schema/test_table1\",\"source\":\"user\"}\u0027\n{\"msg\":\"Success\"}\n\n\n\n5. This correctly succeeds, which can be validated by GETing the info:\n\ncurl \u0027\u003chttp://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1\u003e\u0027\n{\"description\":\"1st test table\",\"msg\":\"Success\"}\n\n\nAt this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS\n= set([\u0027test_schema\u0027])\n\nYou can now re-run step 4, and step 5 with different data, and confirm\nthat the modification has persisted. If you build and run the UI, you can\nsee that on the page\n\u003chttp://localhost:5000/table_detail/gold/hive/test_schema/test_table1\u003e\nhttp://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the\ninline editor is correctly disabled.\n\nLooking at\namundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268\nput_table_description, you can see there\u0027s no reference to\nUNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.\n\nThe only place I can find these referenced is in\namundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,\nwhich would explain why the UI is correctly respecting this setting.\n\nIf this is correct, put_column_description would also be similarly\naffected.\n\nI believe the correct fix for all of these methods is to load the table,\nrun it through marshall_dashboard_partial to fully evaluate what\u0027s\neditable or not (to reuse the same code path for FE and back-end), and\nreject the response if it\u0027s not editable. I\u0027ll implement a fix along these\nlines once someone confirms this.\n\nHistory: This functionality was introduced in\n\u003chttps://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files\u003e\nhttps://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July\n9, corresponding to the 2.3.0 release of amundsenfrontend. That release was\nintroduced into the main repo dockerfile on October 28 in\n\u003chttps://github.com/amundsen-io/amundsen/pull/785\u003e\nhttps://github.com/amundsen-io/amundsen/pull/785",
  "id": "GHSA-47qg-q58v-7vrp",
  "modified": "2020-12-02T02:18:42Z",
  "published": "2020-12-02T18:28:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/amundsen-io/amundsenfrontendlibrary/security/advisories/GHSA-47qg-q58v-7vrp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/amundsen-io/amundsenfrontendlibrary/commit/0b47694ea74cbbef34e03eb45f29643b16a1332a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.