You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/09/05 23:46:05 UTC

[GitHub] [airflow] mik-laj commented on a diff in pull request #26162: DockerHook: obtain credentials and login to Amazon ECR

mik-laj commented on code in PR #26162:
URL: https://github.com/apache/airflow/pull/26162#discussion_r963154977


##########
airflow/providers/docker/hooks/docker.py:
##########
@@ -66,46 +81,51 @@ def __init__(
 
         if not docker_conn_id:
             raise AirflowException('No Docker connection id provided')
-
-        conn = self.get_connection(docker_conn_id)
-
-        if not conn.host:
-            raise AirflowException('No Docker URL provided')
-        if not conn.login:
-            raise AirflowException('No username provided')
-        extra_options = conn.extra_dejson
-
+        self.docker_conn_id = docker_conn_id
         self.__base_url = base_url
         self.__version = version
         self.__tls = tls
         self.__timeout = timeout
-        if conn.port:
-            self.__registry = f"{conn.host}:{conn.port}"
-        else:
-            self.__registry = conn.host
-        self.__username = conn.login
-        self.__password = conn.password
-        self.__email = extra_options.get('email')
-        self.__reauth = extra_options.get('reauth') != 'no'
 
-    def get_conn(self) -> APIClient:
+    @cached_property
+    def api_client(self) -> APIClient:
+        """Create connection to docker host and login to the docker registries. (cached)"""
+        conn = self.get_connection(self.docker_conn_id)
         client = APIClient(
             base_url=self.__base_url, version=self.__version, tls=self.__tls, timeout=self.__timeout
         )
-        self.__login(client)
+
+        credential_helper = conn.extra_dejson.get("credential_helper")
+        if not credential_helper:
+            # If not specified credential helper than retrieve information from Connection.
+            credential_helper = AirflowConnectionDockerCredentialHelper
+            credential_helper_kwargs = {}
+        else:
+            credential_helper = import_string(credential_helper)

Review Comment:
   It is not secure. We should not load user-defined classes as this makes our application vulnerable to [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html) weakness.
   
   We should change the logic so that it is not needed as @poituk suggest, or add a list of allowed classes as is done during DAG deserialization. See: https://github.com/apache/airflow/blob/5b216e9480e965c7c1919cb241668beca53ab521/airflow/serialization/serialized_objects.py#L999-L1000



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org