This is an automated email from the ASF dual-hosted git repository.
shahar pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 6d9d86c6ca3 Add `access_key` and `connection_string` to
DEFAULT_SENSITIVE_FIELDS (#61580)
6d9d86c6ca3 is described below
commit 6d9d86c6ca3816789d16d2cd084ac0e0ee4b4406
Author: Ankit Chaurasia <[email protected]>
AuthorDate: Sat Feb 7 15:09:34 2026 +0545
Add `access_key` and `connection_string` to DEFAULT_SENSITIVE_FIELDS
(#61580)
Azure Blob Storage, Azure File Share, and Azure Data Lake store
connection strings and shared access keys in the connection `extra`
JSON under keys that were not matched by the existing sensitive field
patterns. This allowed users with read-only Connection permissions
(e.g. Viewer role) to retrieve these secrets in plaintext via the API.
Adding `connection_string` and `access_key` to the default set ensures
these values are automatically redacted in API responses and logs.
---
.../secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
b/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
index c99ad568e1c..f5733a2344e 100644
--- a/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
+++ b/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
@@ -50,10 +50,12 @@ log = logging.getLogger(__name__)
DEFAULT_SENSITIVE_FIELDS = frozenset(
{
+ "access_key",
"access_token",
"api_key",
"apikey",
"authorization",
+ "connection_string",
"passphrase",
"passwd",
"password",
