potiuk commented on PR #35210: URL: https://github.com/apache/airflow/pull/35210#issuecomment-1830551874
Late to the game - but I think (maybe I am wrong) we have potential security issue here (but it's easy to fix). For quite some time wa have been very careful to not allow to execute the code that can be contributed by DAG authors, that can be executed in the context of scheduler. I believe this change breaks this assumption. This `priority_strategy_class = import_string(strategy_name)` will be executed in schecduler, and the strategy can be defined in DAG - so essentially DAG author can supply a code that will be executed in scheduler during scheduling. The `priority_weight_total` property is used during scheduling ... Luckily it's easy to mitigate - similarly as timetables for example - the custom weight rules need to be registered via plugin mechanism. Plugins are special - because they can be only registered via "plugins" folder (where DAG authors have no access to write to) or via package entrypoints (and package needs to be installed in scheduler's virtualenv. So I think this needs to be done as follow-up -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org