tomwit-nx commented on PR #45071: URL: https://github.com/apache/airflow/pull/45071#issuecomment-2563563977
> > I guess this also applies to the already existing Principal and Proxy User fields? I see that they only validate if a ; character was passed > > I think there are more validations needed. Passing arbitrary parameter as path to jdbc is dangerous (what happens if for example jdbc driver displays content of the file when it is wrong and you pass "/etc/passwd"` ?. This is just example, it could be even more diastrous - printing more secret keys and secret variables stored somewhere on remote system. I am not sure if you can make it "secure" when this parameter is passed via UI and free-form. > > There are only few values allowed for transportMode I guess, so it is safer to enumerate them rather than pass directly. When it comes to password, there is a question how `;` is going to be passed (i..e what form of escaping should be there)? Thanks for the insight. I will see what I can do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
