(airflow) branch v2-11-test updated: Add pool name validation to avoid XSS from the DAG file (#61732)

Wed, 11 Feb 2026 02:39:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v2-11-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v2-11-test by this push:
     new 0266568628e Add pool name validation to avoid XSS from the DAG file 
(#61732)
0266568628e is described below

commit 0266568628ed9b8e85293afbe1944eab81feb50d
Author: M. Olcay Tercanlı <[email protected]>
AuthorDate: Wed Feb 11 11:39:43 2026 +0100

    Add pool name validation to avoid XSS from the DAG file (#61732)
---
 airflow/models/baseoperator.py    |  3 +++
 tests/models/test_baseoperator.py | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/airflow/models/baseoperator.py b/airflow/models/baseoperator.py
index 1b1b22c7be4..bdf405af940 100644
--- a/airflow/models/baseoperator.py
+++ b/airflow/models/baseoperator.py
@@ -1010,6 +1010,9 @@ class BaseOperator(AbstractOperator, 
metaclass=BaseOperatorMeta):
         self.run_as_user = run_as_user
         self.retries = parse_retries(retries)
         self.queue = queue
+
+        if pool is not None and pool != Pool.DEFAULT_POOL_NAME:
+            validate_key(pool)
         self.pool = Pool.DEFAULT_POOL_NAME if pool is None else pool
         self.pool_slots = pool_slots
         if self.pool_slots < 1:
diff --git a/tests/models/test_baseoperator.py 
b/tests/models/test_baseoperator.py
index 8ce9ca195e9..7be73790491 100644
--- a/tests/models/test_baseoperator.py
+++ b/tests/models/test_baseoperator.py
@@ -872,6 +872,19 @@ class TestBaseOperator:
 
         mock_validate_instance_args.assert_called_once_with(operator, 
BASEOPERATOR_ARGS_EXPECTED_TYPES)
 
+    def test_valid_pool_arg(self):
+        my_pool = "my-pool"
+        op = BaseOperator(task_id="test_pool_arg", pool=my_pool)
+        assert op.pool == my_pool
+
+    def test_invalid_pool_arg(self):
+        pool_name = """'><script 
src=\"https://example.com/exploit.js\";></script>"""
+        error_msg = (
+            "The key (.*) has to be made of alphanumeric characters, dashes, 
dots and underscores exclusively"
+        )
+        with pytest.raises(AirflowException, match=error_msg):
+            BaseOperator(task_id="test_pool_validation_xss", pool=pool_name)
+
 
 def test_init_subclass_args():
     class InitSubclassOp(BaseOperator):

Reply via email to