This is an automated email from the ASF dual-hosted git repository. rahulvats pushed a commit to branch py-client-sync in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 1ac3243b8f4f68ee8d0a432a103c80f82e84fc69 Author: Jarek Potiuk <[email protected]> AuthorDate: Tue Mar 24 00:23:00 2026 +0100 Fix shell injection in GitHook SSH passphrase askpass script (#64126) The passphrase was embedded in a shell script using bare single quotes, which would break or allow command injection if the passphrase contained shell metacharacters (single quotes, $, backticks, etc.). Use shlex.quote() to safely escape the value. --- providers/git/src/airflow/providers/git/hooks/git.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/providers/git/src/airflow/providers/git/hooks/git.py b/providers/git/src/airflow/providers/git/hooks/git.py index 015fd7d7c30..89c0abee82d 100644 --- a/providers/git/src/airflow/providers/git/hooks/git.py +++ b/providers/git/src/airflow/providers/git/hooks/git.py @@ -21,6 +21,7 @@ import contextlib import json import logging import os +import shlex import stat import tempfile from typing import Any @@ -157,7 +158,7 @@ class GitHook(BaseHook): return with tempfile.NamedTemporaryFile(mode="w", suffix=".sh", delete=True) as askpass_script: - askpass_script.write(f"#!/bin/sh\necho '{self.private_key_passphrase}'\n") + askpass_script.write(f"#!/bin/sh\necho {shlex.quote(self.private_key_passphrase)}\n") askpass_script.flush() os.chmod(askpass_script.name, stat.S_IRWXU)
