github-actions[bot] opened a new pull request, #66748: URL: https://github.com/apache/airflow/pull/66748
`SecretsMasker._redact` short-circuited on `depth > max_depth` before checking whether the current key name was sensitive (`should_hide_value_for_key(name)`). For sensitive keys nested beyond the recursion depth (default 5), the original value was returned unchanged instead of being replaced with `***`. Move the depth cutoff inside the `try:` block, after the sensitive-key check, and let dict traversal continue past the cutoff so deeper sensitive keys are still caught. Non-dict containers and the string-pattern masker keep the depth-bounded behavior the cutoff was added for. JSON-loaded payloads cannot be self-referential, and any in-memory cycle hits Python's own recursion limit and falls through the existing exception handler to "<redaction-failed>", which preserves the fail-closed property. (cherry picked from commit 354391bbccc1658ce66d8ec2e2e415e6a01aa7a4) Co-authored-by: Jarek Potiuk <[email protected]> Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
