uranusjr commented on code in PR #64148:
URL: https://github.com/apache/airflow/pull/64148#discussion_r2986392067
##########
airflow-core/src/airflow/api_fastapi/core_api/routes/public/xcom.py:
##########
@@ -269,6 +292,24 @@ def create_xcom_entry(
detail=f"The XCom with key: `{request_body.key}` with mentioned
task instance already exists.",
)
+ def _check_forbidden_keys(obj: Any, path: str = "value") -> None:
+ """Recursively check for forbidden deserialization keys in
user-provided XCom data."""
+ if isinstance(obj, dict):
+ found = FORBIDDEN_XCOM_KEYS & obj.keys()
+ if found:
+ raise HTTPException(
+ status.HTTP_400_BAD_REQUEST,
+ f"XCom {path} contains reserved serialization keys: {',
'.join(sorted(found))}. "
+ f"These keys are reserved for internal use.",
+ )
+ for k, v in obj.items():
+ _check_forbidden_keys(v, f"{path}.{k}")
+ elif isinstance(obj, (list, tuple)):
+ for i, item in enumerate(obj):
+ _check_forbidden_keys(item, f"{path}[{i}]")
+
+ _check_forbidden_keys(request_body.value)
Review Comment:
Does this addition belong in this PR?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
