potiuk opened a new pull request, #62430: URL: https://github.com/apache/airflow/pull/62430
Potential fix for [https://github.com/apache/airflow/security/code-scanning/567](https://github.com/apache/airflow/security/code-scanning/567) In general, to fix this kind of issue you avoid treating user-controlled URL paths as filesystem paths. If you merely need to compare or normalize URL paths, use string-based or `posixpath`/`urllib.parse` operations rather than `pathlib.Path.resolve()`, which is designed for local filesystem paths and will try to resolve against the host’s directory structure. For this specific code, the best fix is: - Remove the use of `Path(parsed_target.path).resolve()` and `Path.is_relative_to`. - Instead, normalize the URL paths as POSIX paths (since URL paths always use `/`) using `posixpath.normpath`. - Then check that the normalized `target_path` is within the normalized `base_path` using plain string-prefix checks on POSIX-style paths (e.g. `startswith` with a trailing slash guard). Concretely in `airflow-core/src/airflow/api_fastapi/core_api/security.py`: 1. Add `import posixpath` to the imports (we keep existing imports unchanged). 2. In `is_safe_url`: - Remove the creation of `Path(parsed_target.path).resolve()`. - Derive and normalize `base_path` from `parsed_base.path` and `target_path` from `parsed_target.path` using `posixpath.normpath`. - If `target_path` does not start with `base_path` (accounting for root and trailing slashes), `continue` to the next base. - Keep the existing scheme and netloc checks. This preserves existing functionality (ensuring URLs are same-origin and under the base path) while eliminating filesystem-path handling of user input, resolving the CodeQL concern. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
