[PR] [v3-2-test] Harden _collect_teams_to_check / requires_access_backfill against malformed bodies (#66504) [airflow]

Tue, 19 May 2026 06:42:01 -0700 


github-actions[bot] opened a new pull request, #67182:
URL: https://github.com/apache/airflow/pull/67182

   * Fail closed in _collect_teams_to_check on body parse failure
   
   For POST/PUT in multi-team mode, the helper used `with 
suppress(JSONDecodeError)`
   around `await request.json()`. If the body was unparseable, the suppress
   swallowed the exception, `teams.add(raw)` never ran, and the calling
   `requires_access_*` dependency iterated over an empty set — silently
   skipping the authorization callback entirely.
   
   Today this is unreachable because every POST/PUT route in core_api uses a
   Pydantic body model, so FastAPI returns 422 before the auth dependency
   runs. But the pattern would silently bypass team-scoped authz if a future
   route used a raw `Request` instead. Replace the bare suppress with an
   explicit try/except that adds `None` to `teams` on parse failure, so the
   auth callback always runs at least once.
   
   * Reject malformed bodies in core_api authz helpers with 400
   
   Builds on the previous fail-closed change in _collect_teams_to_check.
   Two follow-ups from review:
   
   * On JSONDecodeError, raise HTTP 400 directly instead of falling through
     to a team=None auth call — clearer failure mode and removes any
     ambiguity about whether authz ran.
   * Reject non-string `team_name` (in _collect_teams_to_check) and
     non-string `dag_id` (in requires_access_backfill) from the raw body
     with HTTP 400 before any authz decision or DB lookup. Without this,
     a list / dict / int / bool would flow into Team.get_name_if_exists,
     requires_access_dag, or the existence lookup with undefined behaviour
     or type-confused authz decisions.
   
   Both helpers still read the raw body before Pydantic body validation
   runs on the endpoint handler, so this is defense-in-depth: every current
   POST/PUT route uses a Pydantic body model and FastAPI returns 422 before
   the auth dependency runs on a malformed body.
   
   Tests: existing parse-failure test renamed and updated to assert 400;
   new parametrised tests cover integer / list / dict / bool inputs for
   both team_name and dag_id.
   (cherry picked from commit 448f84629192d640147cb5825b9f5e5d874dd2e4)
   
   Co-authored-by: Jarek Potiuk <[email protected]>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to