potiuk opened a new pull request, #66499: URL: https://github.com/apache/airflow/pull/66499
Tighten the deserialization allowlist (`[core] allowed_deserialization_classes_regexp`) to use `re.fullmatch()` instead of `re.match()`. Previously a pattern such as `airflow\.models\.Variable` admitted not only the intended class but also `airflow.models.Variable_Malicious` — `re.match` only anchors at the start of the string. Using `fullmatch` requires the pattern to match the entire classname, eliminating the prefix-bypass footgun. Updated the config description so admins know patterns are full-match and that `.*` is needed for prefix-style allowances. Updated the existing test that relied on prefix-match semantics, and added a dedicated test for the bypass scenario. ##### Compatibility note for reviewers This is a behaviour change for any deployment that configured `allowed_deserialization_classes_regexp` with patterns relying on prefix-match semantics (e.g. `airflow\.models\.` to mean "any class under `airflow.models`"). Such deployments need to add `.*` to the pattern. The default value is empty, so out-of-the-box deployments are unaffected. Default off, admin-only config — leaving the newsfragment decision to the reviewer. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Opus 4.7 (1M context) Generated-by: Claude Opus 4.7 (1M context) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
