Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password autocompletion set to off on login page #40125

Closed
1 of 2 tasks
datta90 opened this issue Jun 7, 2024 · 6 comments · May be fixed by dpgaspar/Flask-AppBuilder#2249
Closed
1 of 2 tasks

Password autocompletion set to off on login page #40125

datta90 opened this issue Jun 7, 2024 · 6 comments · May be fixed by dpgaspar/Flask-AppBuilder#2249
Labels
affected_version:2.8 Issues Reported for 2.8 area:UI Related to UI/UX. For Frontend Developers. good first issue kind:bug This is a clearly a bug

Comments

@datta90
Copy link

datta90 commented Jun 7, 2024

Apache Airflow version

Other Airflow 2 version (please specify below)

If "Other Airflow 2 version" selected, which one?

2.8.1

What happened?

my company vulnerability scanning tool has reported that the login page of airflow should have autocomplete field set to off

What you think should happen instead?

the autocomplete parameter should be set to off in the password field

How to reproduce

simply doing a curl request on the airflow url with /login appended will reveal a html page where we see that the password field does not have autocomplete set

for eg curl -X GET http://airflow:8080/login

Operating System

rhel 8.9

Versions of Apache Airflow Providers

No response

Deployment

Virtualenv installation

Deployment details

using virtualenv to install airflow

Anything else?

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct
@datta90 datta90 added area:core kind:bug This is a clearly a bug needs-triage label for new issues that we didn't triage yet labels Jun 7, 2024
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Jun 7, 2024

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

@potiuk potiuk added good first issue and removed needs-triage label for new issues that we didn't triage yet labels Jun 8, 2024
@potiuk
Copy link
Member

potiuk commented Jun 8, 2024

Feel free to work on that if you want @datta90 - otherwise I marked it as a good first issue - hopefully someone will pick it up and implement it if you will not want, but if you want to get it fixed faster, contributing PR is a most effective way.

Also note - generally speaking if you are reporting security issue, you should NEVER use public issues. This one - luckily - is not "really" security issue, certainly not a CVE worthy one, so it's quite ok to put in public, but generally speaking approaching security issues in a "responsible" way - you should follow our security policy to report such issues. And this is the same for all projects out there, so you might consider in the future finding out and following security policy when you are reporting security-related issues.

@shahar1 shahar1 added area:UI Related to UI/UX. For Frontend Developers. and removed area:core labels Jun 8, 2024
jmelot added a commit to jmelot/Flask-AppBuilder that referenced this issue Jun 8, 2024
@jmelot
Set autocomplete to "off" in form.password
3b28c35 
Related to: apache/airflow#40125
@jmelot jmelot mentioned this issue Jun 8, 2024
Open
@eladkal eladkal added the affected_version:2.8 Issues Reported for 2.8 label Jun 9, 2024
@datta90
Copy link
Author

datta90 commented Jul 2, 2024

hi team,

@jmelot patch fixed this issue for me. thank you so much . i am marking this as closed now

@datta90 datta90 closed this as completed Jul 2, 2024
@rajeshjagmohan
Copy link

@datta90 How did you patch fix this issue ? Did you create build using @jmelot change ? it seems this change is still not merged .
FYI : @potiuk

@datta90
Copy link
Author

datta90 commented Nov 2, 2024

i directly changed in the source code of flask_appbuilder as shown by @jmelot

@rajeshjagmohan
Copy link

rajeshjagmohan commented Nov 5, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affected_version:2.8 Issues Reported for 2.8 area:UI Related to UI/UX. For Frontend Developers. good first issue kind:bug This is a clearly a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Set autocomplete to "off" in form.password jmelot/Flask-AppBuilder
5 participants
@potiuk @datta90 @eladkal @shahar1 @rajeshjagmohan