Skip to content

UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend

Low severity GitHub Reviewed Published Dec 2, 2020 in amundsen-io/amundsenfrontendlibrary • Updated Jan 9, 2023

Package

pip amundsen-frontend (pip)

Affected versions

= 2.3.0
= 3.0.0

Patched versions

3.1.0
3.1.0

Description

Impact

Any install that has UNEDITABLE_SCHEMAS and/or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.

Patches

There is an attached PR that applies this restriction on the back-end.

Workarounds

N/A

References

N/A

For more information

If you have any questions or comments about this advisory:

More details

Summary: I believe that UNEDITABLE_SCHEMAS and
UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the
front-end, not on the frontend service back-end, allowing any user to
modify table and column descriptions even if this configuration parameter
is set.

Repro steps:

  1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch
    amundsensearch amundsenmetadata
  2. python example/scripts/sample_data_loader.py
  3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig
    PYTHONPATH=. python3 amundsen_application/wsgi.py
  4. Attempt a modification to a table description:

curl 'http://localhost:5000/api/metadata/v0/put_table_description' \\
-X 'PUT' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"description":"2t test table","key":"hive://gold.test_schema/test_table1","source":"user"}'
{"msg":"Success"}

  1. This correctly succeeds, which can be validated by GETing the info:

curl 'http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1'
{"description":"1st test table","msg":"Success"}

At this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS
= set(['test_schema'])

You can now re-run step 4, and step 5 with different data, and confirm
that the modification has persisted. If you build and run the UI, you can
see that on the page
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1
http://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the
inline editor is correctly disabled.

Looking at
amundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268
put_table_description, you can see there's no reference to
UNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.

The only place I can find these referenced is in
amundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,
which would explain why the UI is correctly respecting this setting.

If this is correct, put_column_description would also be similarly
affected.

I believe the correct fix for all of these methods is to load the table,
run it through marshall_dashboard_partial to fully evaluate what's
editable or not (to reuse the same code path for FE and back-end), and
reject the response if it's not editable. I'll implement a fix along these
lines once someone confirms this.

History: This functionality was introduced in
https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files
amundsen-io/amundsenfrontendlibrary#497 on July
9, corresponding to the 2.3.0 release of amundsenfrontend. That release was
introduced into the main repo dockerfile on October 28 in
amundsen-io/amundsen#785
amundsen-io/amundsen#785

References

Reviewed Dec 2, 2020
Published to the GitHub Advisory Database Dec 2, 2020
Last updated Jan 9, 2023

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-47qg-q58v-7vrp

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.