carlos54 opened a new issue, #64099:
URL: https://github.com/apache/airflow/issues/64099
### Description
Hello Apache Airflow Team,
When configuring a Git-based DAG bundle in Airflow using git bundle
connexions, the underlying synchronization mechanism constructs the repository
URL by embedding the username and token/password directly into the connection
string (e.g., https://<user>:<token>@<host>/<repo>.git).
So developer without any administrative privileges can exfiltrate these
tokens during the DAG parsing phase (DagProcessor pod).
File with git credential:
```
sh-5.1$ cat /dags/sandbox/bare/config
...
[remote "origin"]
url =
https://airflow_cen:<CLEARTEXT_TOKEN>@gitlab.ctie.etat.lu/pibi/airflow-projects/sandbox-dags.git
```
### Use case/motivation
To prevent access to plaintext passwords, even if DAG authors can access all
databases without going through DAG processing scans, the passwords are
normally encrypted.
### Related issues
https://github.com/apache/airflow/security/advisories/GHSA-qhqv-64px-4339https://github.com/apache/airflow/security/advisories/GHSA-qhqv-64px-4339
### Are you willing to submit a PR?
- [x] Yes I am willing to submit a PR!
### Code of Conduct
- [x] I agree to follow this project's [Code of
Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
