{"url":"http://public2.vulnerablecode.io/api/packages/382119?format=json","purl":"pkg:pypi/amundsen-frontend@3.0.0","type":"pypi","namespace":"","name":"amundsen-frontend","version":"3.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.0","latest_non_vulnerable_version":"3.1.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/361120?format=json","vulnerability_id":"VCID-58sq-nyz7-5yhx","summary":"UNEDITABLE_SCHEMAS and UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES not respected by frontend service backend\n### Impact\nAny install that has `UNEDITABLE_SCHEMAS` and/or `UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES` set in the front-end, is being impacted. The value of these properties is ignored if set, allowing any user to modify table and column descriptions, even though the properties imply they shouldn't be.\n\n### Patches\nThere is an attached PR that applies this restriction on the back-end.\n\n### Workarounds\nN/A\n\n### References\nN/A\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [amundsen-security@lists.lfaidata.foundation](mailto:amundsen-security@lists.lfaidata.foundation)\n\n### More details\nSummary: I believe that UNEDITABLE_SCHEMAS and\nUNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES are only being applied on the\nfront-end, not on the frontend service back-end, allowing any user to\nmodify table and column descriptions even if this configuration parameter\nis set.\n\nRepro steps:\n\n1. docker-compose -f docker-amundsen.yml up neo4j elasticsearch\namundsensearch amundsenmetadata\n2. python example/scripts/sample_data_loader.py\n3. FRONTEND_SVC_CONFIG_MODULE_CLASS=amundsen_application.config.TestConfig\nPYTHONPATH=. python3 amundsen_application/wsgi.py\n4. Attempt a modification to a table description:\n\ncurl '<http://localhost:5000/api/metadata/v0/put_table_description>' \\\\\\\\\n-X 'PUT' \\\\\\\\\n-H 'Content-Type: application/json;charset=UTF-8' \\\\\\\\\n--data-binary '{\"description\":\"2t test table\",\"key\":\"hive://gold.test_schema/test_table1\",\"source\":\"user\"}'\n{\"msg\":\"Success\"}\n\n\n\n5. This correctly succeeds, which can be validated by GETing the info:\n\ncurl '<http://localhost:5000/api/metadata/v0/get_table_description?key=hive://gold.test_schema/test_table1>'\n{\"description\":\"1st test table\",\"msg\":\"Success\"}\n\n\nAt this point, modify TestConfig inside config.py to add this line: UNEDITABLE_SCHEMAS\n= set(['test_schema'])\n\nYou can now re-run step 4, and step 5 with different data, and confirm\nthat the modification has persisted. If you build and run the UI, you can\nsee that on the page\n<http://localhost:5000/table_detail/gold/hive/test_schema/test_table1>\nhttp://localhost:5000/table_detail/gold/hive/test_schema/test_table1, the\ninline editor is correctly disabled.\n\nLooking at\namundsenfrontendlibrary/amundsen_application/api/metadata/v0.py:268\nput_table_description, you can see there's no reference to\nUNEDITABLE_SCHEMAS or UNEDITABLE_TABLE_DESCRIPTION_MATCH_RULES.\n\nThe only place I can find these referenced is in\namundsenfrontendlibrary/amundsen_application/api/utils/metadata_utils.py:marshall_table_full,\nwhich would explain why the UI is correctly respecting this setting.\n\nIf this is correct, put_column_description would also be similarly\naffected.\n\nI believe the correct fix for all of these methods is to load the table,\nrun it through marshall_dashboard_partial to fully evaluate what's\neditable or not (to reuse the same code path for FE and back-end), and\nreject the response if it's not editable. I'll implement a fix along these\nlines once someone confirms this.\n\nHistory: This functionality was introduced in\n<https://github.com/amundsen-io/amundsenfrontendlibrary/pull/497/files>\nhttps://github.com/amundsen-io/amundsenfrontendlibrary/pull/497 on July\n9, corresponding to the 2.3.0 release of amundsenfrontend. That release was\nintroduced into the main repo dockerfile on October 28 in\n<https://github.com/amundsen-io/amundsen/pull/785>\nhttps://github.com/amundsen-io/amundsen/pull/785","references":[{"reference_url":"https://github.com/amundsen-io/amundsenfrontendlibrary/commit/0b47694ea74cbbef34e03eb45f29643b16a1332a","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/amundsen-io/amundsenfrontendlibrary/commit/0b47694ea74cbbef34e03eb45f29643b16a1332a"},{"reference_url":"https://github.com/amundsen-io/amundsenfrontendlibrary/security/advisories/GHSA-47qg-q58v-7vrp","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/amundsen-io/amundsenfrontendlibrary/security/advisories/GHSA-47qg-q58v-7vrp"},{"reference_url":"https://github.com/advisories/GHSA-47qg-q58v-7vrp","reference_id":"GHSA-47qg-q58v-7vrp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-47qg-q58v-7vrp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382118?format=json","purl":"pkg:pypi/amundsen-frontend@3.1.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/amundsen-frontend@3.1.0"}],"aliases":["GHSA-47qg-q58v-7vrp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-58sq-nyz7-5yhx"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/amundsen-frontend@3.0.0"}