potiuk opened a new pull request, #66504: URL: https://github.com/apache/airflow/pull/66504
For POST/PUT in multi-team mode, the helper used `with suppress(JSONDecodeError)` around `await request.json()`. If the body was unparseable, the suppress swallowed the exception, `teams.add(raw)` never ran, and the calling `requires_access_*` dependency iterated over an empty set — silently skipping the authorization callback entirely. Today this is unreachable because every POST/PUT route in `core_api` uses a Pydantic body model, so FastAPI returns 422 before the auth dependency runs. But the pattern would silently bypass team-scoped authz if a future route used a raw `Request` instead. Replace the bare `suppress` with an explicit `try/except` that adds `None` to `teams` on parse failure, so the auth callback always runs at least once. Reported in apache/tooling-agents#23 (ASVS L1 finding F-008). --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Opus 4.7 (1M context) Generated-by: Claude Opus 4.7 (1M context) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
