[GitHub] [airflow] uranusjr commented on a diff in pull request #29016: Fix leak sensitive field via V1EnvVar on exception

["uranusjr (via GitHub)" <gi...@apache.org>]

uranusjr commented on code in PR #29016:
URL: https://github.com/apache/airflow/pull/29016#discussion_r1094133054


##########
airflow/utils/log/secrets_masker.py:
##########
@@ -200,10 +222,18 @@ def _redact(self, item: Redactable, name: str | None, depth: int) -> Redacted:
             if name and should_hide_value_for_key(name):
                 return self._redact_all(item, depth)
             if isinstance(item, dict):
-                return {
+                to_return = {
                     dict_key: self._redact(subval, name=dict_key, depth=(depth + 1))
                     for dict_key, subval in item.items()
                 }
+                return to_return
+            elif isinstance(item, ConvertableToDict):  # things like V1EnvVar

Review Comment:
   We could try-import kubernetes (if we can’t import it the object would obviously not be a V1EnvVar), but this is OK I think. We can always make the check stricter later if something breaks.
   
   Maybe add a note on `ConvertableToDict` describing the rationale? (e.g. we don’t want to depend directly on kubernetes so this checks for the “shape” of a V1EnvVar instead)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org