[GitHub] [airflow] ashb commented on a change in pull request #9143: Add note about using dag_run.conf in BashOperator

[GitBox <gi...@apache.org>]

ashb commented on a change in pull request #9143:
URL: https://github.com/apache/airflow/pull/9143#discussion_r435834967



##########
File path: docs/howto/operator/bash.rst
##########
@@ -41,6 +41,37 @@ You can use :ref:`Jinja templates <jinja-templating>` to parameterize the
     :start-after: [START howto_operator_bash_template]
     :end-before: [END howto_operator_bash_template]
 
+
+.. warning::
+
+    Care should be taken with "user" input or when using Jinja templates in the
+    ``bash_command``, as this bash operator does not perform any escaping or
+    sanitization of the command.
+
+    This applies mostly to using "dag_run" conf, as that can be submitted via
+    users in the Web UI. Most of the default template variables are not at
+    risk.
+
+For example, do **not** do this:
+
+.. code-block:: python
+
+    bash_task = BashOperator(
+        task_id="bash_task",
+        bash_command='echo "Here is the message: \'{{ dag_run.conf["message"] if dag_run else "" }}\'"',
+    )
+
+Instead, you should pass this via the ``env`` kwarg and use double-quotes
+inside the bash_command, as below:
+
+.. code-block:: python
+
+    bash_task = BashOperator(
+        task_id="bash_task",
+        bash_command='echo "here is the message: \'$message\'"',

Review comment:
       I guess I can. The point was to try and get output when run like
   
   > here is the message 'foo bar'




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org