[GitHub] [airflow] kaxil commented on a change in pull request #9143: Add note about using dag_run.conf in BashOperator

[GitBox <gi...@apache.org>]

kaxil commented on a change in pull request #9143:
URL: https://github.com/apache/airflow/pull/9143#discussion_r435829790



##########
File path: docs/howto/operator/bash.rst
##########
@@ -41,6 +41,37 @@ You can use :ref:`Jinja templates <jinja-templating>` to parameterize the
     :start-after: [START howto_operator_bash_template]
     :end-before: [END howto_operator_bash_template]
 
+
+.. warning::
+
+    Care should be taken with "user" input or when using Jinja templates in the
+    ``bash_command``, as this bash operator does not perform any escaping or
+    sanitization of the command.
+
+    This applies mostly to using "dag_run" conf, as that can be submitted via
+    users in the Web UI. Most of the default template variables are not at
+    risk.
+
+For example, do **not** do this:
+
+.. code-block:: python
+
+    bash_task = BashOperator(
+        task_id="bash_task",
+        bash_command='echo "Here is the message: \'{{ dag_run.conf["message"] if dag_run else "" }}\'"',
+    )
+
+Instead, you should pass this via the ``env`` kwarg and use double-quotes
+inside the bash_command, as below:
+
+.. code-block:: python
+
+    bash_task = BashOperator(
+        task_id="bash_task",
+        bash_command='echo "here is the message: \'$message\'"',

Review comment:
       This lin failed again, I mean you can remove the quotes after echo as it is just bash.
   
   Example:
   
   ```suggestion
           bash_command='echo here is the message: '$message"',
   ```




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org