[bitnami/airflow] Escape special characters in Airflow LDAP configuration values #66534
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
This change fixes #65217 by escaping single quotes and backslashes in
AIRFLOW_LDAP_
configuration values that are interpolated intowebserver_config.py
as Python strings.However, values that are not interpolated as strings such as
AIRFLOW_LDAP_ROLES_MAPPING
,AIRFLOW_LDAP_ROLES_SYNC_AT_LOGIN
, andAIRFLOW_LDAP_ALLOW_SELF_SIGNED
are still susceptible to arbitrary Python injection.Benefits
AIRFLOW_LDAP_
configuration values that are interpolated as Python strings (e.g.AIRFLOW_LDAP_BIND_PASSWORD
) may now contain single quotes and backslashes, and the Airflow container will handle them correctly instead of erroring out on startup.Possible drawbacks
If for some reason this behavior was being abused by users to inject arbitrary Python into
webserver_config.py
, that will no longer work; they should instead mount their ownwebserver_config.py
into the container.Applicable issues
AIRFLOW_LDAP_
environment variable contains a single quote #65217