potiuk commented on PR #29821: URL: https://github.com/apache/airflow/pull/29821#issuecomment-1803386889
> Hm, you were right, looks like only `email` is a field that is 100% safe to template (as I mentioned before, the field is heavily used by our team as `default_args["email"]` for each and every DAG). There is also `run_as_user` that seems to be safe as well, but I've never used it, so can't really comment on its usage. If you're fine with that, then I can open a PR to exclude `email` (and optionally `run_as_user` if you think it makes sense) from that check. I would say - just `email`. Because security. I have not realized it before, but this PR als had some interesting security implications. I believe it is better to not allow to modify `run_as_user` because it is a potential security risk. The `run_as_user` is used to do impersonation, so basically run the final task as a specific linux user (via sudo basically). You can easily imagine someone tricking the code of task A to pass `root` there to run task B with `root` priviledges where someone wanted to use `nobody`. And usually impersonation is done because of security concerns actually, so dynamically generating it is quite a bit risky Of course that would require several layers of other security issues, but generally speaking (similarly to SQL INJECTION kind of vulnerabilities) - if you have a content generated from (potentially) user input, you should always sanitize it and not use it any context that is anywhere near security - bound decisions. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
