ferruzzi opened a new issue, #63295: URL: https://github.com/apache/airflow/issues/63295
### Apache Airflow version 3.1.7 ### If "Other Airflow 3 version" selected, which one? _No response_ ### What happened? In one of the PRs I was reviewing, Copilot pointed out a low-risk security issue. We allow `dag_id` and `run_id` to contain `..` and use those values in log file paths which cold theoretically lead to an issue. `validate_key()` blocks slashes in `dag_id` and `validate_run_id()` blocks them in `run_id`, but both still allow the `..` and maybe they should block that. ### What you think should happen instead? _No response_ ### How to reproduce Original PR and discussion here: https://github.com/apache/airflow/pull/62616#discussion_r2899179199 ### Operating System templeos ### Versions of Apache Airflow Providers _No response_ ### Deployment Other ### Deployment details _No response_ ### Anything else? _No response_ ### Are you willing to submit PR? - [ ] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
