K1nakoo opened a new pull request, #63708:
URL: https://github.com/apache/airflow/pull/63708
### What does this PR do?
This PR introduces a strict regex validation for the `api_environment`
variable (populated via CLI arguments or `AIRFLOW_CLI_ENVIRONMENT`) within the
`Credentials` class of `airflowctl`.
### Why is this needed?
Currently, the environment name is directly passed to
`os.path.join(default_config_dir, f"{self.api_environment}.json")` without any
sanitization.
While `airflowctl` is a client tool, it is frequently executed in automated
CI/CD pipelines where the environment variable might be populated dynamically
(e.g., from a Git branch name or GitHub Actions runner). If an untrusted input
containing directory traversal sequences (like `../../../tmp/evil`) is passed,
it could unintentionally write `.json` files outside the target configuration
directory, leading to potential CI pipeline configuration overrides.
This patch enforces a Defense-in-Depth approach, ensuring that only valid,
safe alphanumeric names (including dashes, periods, and underscores) are
processed, completely mitigating the risk of path traversal.
### Testing done
- Verified that valid environment names (e.g., `production`, `dev.env-1`)
work as expected.
- Verified that providing a traversal payload (e.g., `../evil`) correctly
raises a `ValueError` and halts execution before any file system operations
occur.
---
##### Was generative AI tooling used to co-author this PR?
- [x] Yes (Gemini)
Generated-by: Gemini following the guidelines
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
