potiuk commented on PR #36469: URL: https://github.com/apache/airflow/pull/36469#issuecomment-1871825549
> If that is indeed the case can you describe where in the pipeline validate_key is called on the request parameters so that we can better identify such cases in future and not report them needlessly. Isn't that something that your tool should find automatically ? I think it shows the weakness of the tool. The **worst** thing that happens with such security reporting tools is to show false posititves. This is actually why we are very careful with those kind of tools and we blank-refuse reports showig **potential** problems with security - because it undermines the whole value of such tools - it creates more work for people who are volunteers and when you have to analyse those kind of issues and find false positive after false positive, you very quickly go into tool fatique and drop using it. I think the only value of such tool is that it can automatically not only detect potential value, but also automatically generate (and verify) the exploitation scenario that can be proven to work (basically this is what we expect when security issue is reported to us). So maybe @ZuhairORZaki -> trat this one as exercise. If you can make the tool works by generating such exploitation scenario, this is probably something you can report. If you cannot generate such exploitation scenario, it's probably not reportable as security bug. Ideally also if such a tool could generate not only the proposal how to fix things, a unit test that fixes it as well - that would become really useful. Other than that it mostly adds work with very limited value, and distracts from real issues, which makes the tool far too noisy to be useful -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
