You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "ephraimbuddy (via GitHub)" <gi...@apache.org> on 2023/06/30 22:26:20 UTC
[GitHub] [airflow] ephraimbuddy opened a new pull request, #32293: Sanitize `DagRun.run_id` and allow flexibility
ephraimbuddy opened a new pull request, #32293:
URL: https://github.com/apache/airflow/pull/32293
This commit sanitizes the DagRun.run_id parameter by introducing a configurable option. Users now have the ability to select a specific run_id pattern for their runs, ensuring stricter control over the values used. This update does not impact the default run_id generation performed by the scheduler for scheduled DAG runs or for Dag runs triggered without modifying the run_id parameter in the run configuration page. The configuration flexibility empowers users to align the run_id pattern with their specific requirements.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] ephraimbuddy merged pull request #32293: Sanitize `DagRun.run_id` and allow flexibility
Posted by "ephraimbuddy (via GitHub)" <gi...@apache.org>.
ephraimbuddy merged PR #32293:
URL: https://github.com/apache/airflow/pull/32293
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on pull request #32293: Sanitize `DagRun.run_id` and allow flexibility
Posted by "potiuk (via GitHub)" <gi...@apache.org>.
potiuk commented on PR #32293:
URL: https://github.com/apache/airflow/pull/32293#issuecomment-1616146425
The error should be fixed by #32307 . please reabase @ephraimbuddy
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] rickyzhang82 commented on pull request #32293: Sanitize `DagRun.run_id` and allow flexibility
Posted by "rickyzhang82 (via GitHub)" <gi...@apache.org>.
rickyzhang82 commented on PR #32293:
URL: https://github.com/apache/airflow/pull/32293#issuecomment-1633002304
@ephraimbuddy
It is unclear to me how DAG RUN ID could exploit illegal file access, given the limited information from [CVE-2023-22887](https://nvd.nist.gov/vuln/detail/CVE-2023-22887).
But rather than fixing the root cause, we impose a default regex pattern check `allowed_run_id_pattern = ^[A-Za-z0-9_.~:+-]+$`.
How can we guarantee that the string from this pattern won't generate any malicious code? Shouldn't we address the root cause instead? We don't fix the SQL injection by limiting the string from users with regex. We validate the SQL string with prepared statements. Regex itself is not a validation but a restriction.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org