Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/airflow] Escape special characters in Airflow LDAP configuration values #66534

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[bitnami/airflow] Escape special characters in Airflow LDAP configuration values #66534

wants to merge 1 commit into from

Conversation

zanecodes
Copy link
Contributor

Description of the change

This change fixes #65217 by escaping single quotes and backslashes in AIRFLOW_LDAP_ configuration values that are interpolated into webserver_config.py as Python strings.

However, values that are not interpolated as strings such as AIRFLOW_LDAP_ROLES_MAPPING, AIRFLOW_LDAP_ROLES_SYNC_AT_LOGIN, and AIRFLOW_LDAP_ALLOW_SELF_SIGNED are still susceptible to arbitrary Python injection.

Benefits

AIRFLOW_LDAP_ configuration values that are interpolated as Python strings (e.g. AIRFLOW_LDAP_BIND_PASSWORD) may now contain single quotes and backslashes, and the Airflow container will handle them correctly instead of erroring out on startup.

Possible drawbacks

If for some reason this behavior was being abused by users to inject arbitrary Python into webserver_config.py, that will no longer work; they should instead mount their own webserver_config.py into the container.

Applicable issues

@github-actions github-actions bot added the triage Triage is needed label May 9, 2024
@github-actions github-actions bot requested a review from javsalgar May 9, 2024 21:22
@zanecodes
Ensure Airflow LDAP configuration values containing backslashes and s…
ec3b201 
…ingle quotes are escaped correctly in webserver_config.py

Signed-off-by: Zane Geiger <me@zane.codes>
@carrodher carrodher added verify Execute verification workflow for these changes in-progress labels May 10, 2024
@github-actions github-actions bot removed the triage Triage is needed label May 10, 2024
@github-actions github-actions bot removed the request for review from javsalgar May 10, 2024 07:25
@github-actions github-actions bot requested a review from alemorcuq May 10, 2024 07:25
@zanecodes
Copy link
Contributor Author

Should this and #66535 each be broken up into three separate PRs for airflow, airflow-scheduler, and airflow-worker?

It seems that the CI pipeline skipped checks since this modifies multiple containers at once.

Also, the link to container best practices in CONTRIBUTING.md is currently broken.

@github-actions GitHub Actions
Copy link

This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.

@github-actions github-actions bot added the stale 15 days without activity label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alemorcuq alemorcuq Awaiting requested review from alemorcuq

At least 1 approving review is required to merge this pull request.

Assignees

@alemorcuq alemorcuq

Labels
airflow airflow-scheduler airflow-worker in-progress stale 15 days without activity verify Execute verification workflow for these changes
Projects
None yet
Milestone
No milestone
4 participants
@zanecodes @javsalgar @carrodher @alemorcuq