This is an automated email from the ASF dual-hosted git repository.
shahar1 pushed a commit to branch v3-2-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/v3-2-test by this push:
new 06a3636f6d7 [v3-2-test] Extend DEFAULT_SENSITIVE_FIELDS with common
credential field names (#66673) (#66991)
06a3636f6d7 is described below
commit 06a3636f6d7259221e02460d4da2e52ecb06fb50
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Fri May 15 20:26:15 2026 +0300
[v3-2-test] Extend DEFAULT_SENSITIVE_FIELDS with common credential field
names (#66673) (#66991)
DEFAULT_SENSITIVE_FIELDS is the allowlist used by the secrets masker
for masking Variables and Connection extras. Several common field
names used by official Airflow providers and standard HTTP/database
configurations are not in the allowlist.
This commit adds five field names commonly used in connection extras
and provider configurations:
- webhook_url — Slack provider webhook URL key
- bearer — HTTP bearer-token auth key
- dsn — database connection strings (which typically embed
credentials, e.g. postgres://user:pass@host/db)
- auth_header — custom HTTP auth header values
- service_key — service-account-like keys
Related: https://github.com/airflow-s/airflow-s/issues/377
(cherry picked from commit 32ac8ad5132963ff0351aa756331e9e9c60a692b)
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https:
//github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
Co-authored-by: Jarek Potiuk <[email protected]>
---
.../src/airflow_shared/secrets_masker/secrets_masker.py | 7 ++++++-
.../tests/secrets_masker/test_secrets_masker.py | 17 +++++++++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git
a/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
b/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
index 1fc046de583..6ae5343ec00 100644
--- a/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
+++ b/shared/secrets_masker/src/airflow_shared/secrets_masker/secrets_masker.py
@@ -54,8 +54,11 @@ DEFAULT_SENSITIVE_FIELDS = frozenset(
"access_token",
"api_key",
"apikey",
+ "auth_header",
"authorization",
+ "bearer",
"connection_string",
+ "dsn",
"passphrase",
"passwd",
"password",
@@ -64,9 +67,11 @@ DEFAULT_SENSITIVE_FIELDS = frozenset(
"proxy_password",
"proxies",
"secret",
+ "service_account",
+ "service_key",
"token",
"keyfile_dict",
- "service_account",
+ "webhook_url",
}
)
"""Names of fields (Connection extra, Variable key name etc.) that are deemed
sensitive"""
diff --git a/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py
b/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py
index 930748e2ed0..1e8b50522e2 100644
--- a/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py
+++ b/shared/secrets_masker/tests/secrets_masker/test_secrets_masker.py
@@ -817,6 +817,23 @@ class TestShouldHideValueForKey:
("GOOGLE_API_KEY", True),
("GOOGLE_APIKEY", True),
(1, False),
+ # webhook_url / bearer / dsn / auth_header / service_key in
DEFAULT_SENSITIVE_FIELDS.
+ # Matching is case-insensitive substring on the lowercased key, so
+ # snake_case variants (and underscore-bearing prefixes/suffixes)
are
+ # covered; PascalCase / camelCase variants without underscores are
not.
+ ("webhook_url", True),
+ ("WEBHOOK_URL", True),
+ ("slack_webhook_url", True),
+ ("bearer", True),
+ ("Bearer", True),
+ ("auth_bearer", True),
+ ("dsn", True),
+ ("DSN", True),
+ ("auth_header", True),
+ ("AUTH_HEADER", True),
+ ("custom_auth_header", True),
+ ("service_key", True),
+ ("my_service_key", True),
],
)
def test_hiding_defaults(self, key, expected_result):
