Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ3cWctcTU4di03dnJw

UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend

Impact

Any install that has UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.

Patches

There is an attached PR that applies this restriction on the back-end.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

More details

Summary: I believe that UNEDITABLE_SCHEMAS and
UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the
front-end, not on the frontend service back-end, allowing any user to
modify table and column descriptions even if this configuration parameter
is set.

Repro steps:

1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch
   amundsensearch amundsenmetadata
2. python example/scripts/sample_data_loader.py
3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig
   PYTHONPATH=. python3 amundsen_application/wsgi.py
4. Attempt a modification to a table description:

curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\
-X 'PUT' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}'
{"msg":"Success"}

5. This correctly succeeds, which can be validated by GETing the info:

curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1'
{"description":"1st test table","msg":"Success"}

At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS
= set(['test_schema'])

You can now re-run step 4, and step 5 with different data, and confirm
that the modification has persisted. If you build and run the UI, you can
see that on the page
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the
inline editor is correctly disabled.

Looking at
amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268
put_table_description, you can see there's no reference to
UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.

The only place I can find these referenced is in
amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,
which would explain why the UI is correctly respecting this setting.

If this is correct, put_column_description would also be similarly
affected.

I believe the correct fix for all of these methods is to load the table,
run it through marshall_dashboard_partial to fully evaluate what's
editable or not (to reuse the same code path for FE and back-end), and
reject the response if it's not editable. I'll implement a fix along these
lines once someone confirms this.

History: This functionality was introduced in
https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files
https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July
9, corresponding to the 2.3.0 release of amundsenfrontend. That release was
introduced into the main repo dockerfile on October 28 in
https://github.com/amundsen-io/amundsen/pull/785
https://github.com/amundsen-io/amundsen/pull/785

Permalink: https://github.com/advisories/GHSA-47qg-q58v-7vrp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ3cWctcTU4di03dnJw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

Identifiers: GHSA-47qg-q58v-7vrp
References:

• https://github.com/amundsen-io/amundsenfrontendlibrary/security/advisories/GHSA-47qg-q58v-7vrp
• https://github.com/amundsen-io/amundsenfrontendlibrary/commit/0b47694ea74cbbef34e03eb45f29643b16a1332a
• https://github.com/advisories/GHSA-47qg-q58v-7vrp

Repository: https://github.com/amundsen-io/amundsenfrontendlibrary
Blast Radius: 0.0

Affected Packages