potiuk opened a new pull request, #66749:
URL: https://github.com/apache/airflow/pull/66749
## Summary
The log server uses `request.url.path.lstrip("/log/")` to extract the
requested filename from the URL path. `str.lstrip()` strips any combination of
the argument characters (here `{/, l, o, g}`) from the left of the string — it
does **not** remove the literal prefix `"/log/"`. This is a documented Python
pitfall (see https://docs.python.org/3/library/stdtypes.html#str.lstrip).
This PR switches to `str.removeprefix("/log/")` (Python 3.9+, already
required by Airflow) so the filename extracted for JWT validation matches the
one the underlying Starlette `StaticFiles` mount uses to locate the file on
disk.
## Test plan
- [x] New `test_forbidden_lstrip_character_overlap` in
`airflow-core/tests/unit/utils/test_serve_logs.py` exercises the `{/, l, o, g}`
character-set overlap.
- [x] Existing `test_serve_logs.py` tests continue to pass.
Tracker: airflow-s/airflow-s#401.
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.7 (1M context)
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
