GHSA-47qg-q58v-7vrp

Описание

Impact

Any install that has UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.

Patches

There is an attached PR that applies this restriction on the back-end.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory:

• Email us at amundsen-security@lists.lfaidata.foundation

More details

Summary: I believe that UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the front-end, not on the frontend service back-end, allowing any user to modify table and column descriptions even if this configuration parameter is set.

Repro steps:

1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch amundsensearch amundsenmetadata
2. python example/scripts/sample_data_loader.py
3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig PYTHONPATH=. python3 amundsen_application/wsgi.py
4. Attempt a modification to a table description:

curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\ -X 'PUT' \\ -H 'Content-Type: application/json;charset=UTF-8' \\ --data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}' {"msg":"Success"}

5. This correctly succeeds, which can be validated by GETing the info:

curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1' {"description":"1st test table","msg":"Success"}

At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS = set(['test_schema'])

You can now re-run step 4, and step 5 with different data, and confirm that the modification has persisted. If you build and run the UI, you can see that on the page http://localhost:5000/table_detail/gold/hive/test_schema/test_table1 http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the inline editor is correctly disabled.

Looking at amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268 put_table_description, you can see there's no reference to UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.

The only place I can find these referenced is in amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full, which would explain why the UI is correctly respecting this setting.

If this is correct, put_column_description would also be similarly affected.

I believe the correct fix for all of these methods is to load the table, run it through marshall_dashboard_partial to fully evaluate what's editable or not (to reuse the same code path for FE and back-end), and reject the response if it's not editable. I'll implement a fix along these lines once someone confirms this.

History: This functionality was introduced in https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July 9, corresponding to the 2.3.0 release of amundsenfrontend. That release was introduced into the main repo dockerfile on October 28 in https://github.com/amundsen-io/amundsen/pull/785 https://github.com/amundsen-io/amundsen/pull/785