potiuk opened a new pull request, #67496: URL: https://github.com/apache/airflow/pull/67496
`_OwnersFilter`, `_AssetDependencyFilter`, and `_ConsumingAssetFilter` embedded user-supplied values directly into `ILIKE '%...%'` patterns without escaping the SQL wildcard metacharacters `%` and `_`. Unlike `_SearchParam` — whose docstring explicitly documents wildcard support — these filter classes are not documented as supporting wildcards, so a user supplying `%` or `_` triggered pattern matching instead of the literal substring matching the filter promises, widening match results beyond the filter's intent. This is not SQL injection (SQLAlchemy parameterizes the values) and RBAC still bounds results to what the user is authorized to see — but the pattern-semantics leak is a defense-in-depth issue worth closing. Reported as F-007 (ASVS 1.3.3) and F-008 (ASVS 2.2.1) in the [`apache/tooling-agents` L3 ASVS sweep `0920c77`](https://github.com/apache/tooling-agents/issues/23). ## Change Add an `_escape_like_pattern()` helper that escapes `\`, `%`, and `_`, and apply it in the three affected filters along with an explicit `escape="\\"` clause on the `.ilike()` call. `_SearchParam` is left untouched. The two affected filters' `to_orm` had a `if self.value is None and self.skip_none: return select` guard that fell through to `f"%{None}%"` (silently buggy) when `skip_none=False` — replaced with an unconditional `None`-check so the mypy narrowing for the new helper holds. ## Test plan - [x] Added `TestEscapeLikePattern` with parametrised metacharacter coverage (`%`, `_`, `\`, and combinations). - [x] Added `TestNonSearchFilterEscaping` asserting (a) each of the three filters renders SQL with escaped user wildcards and an `ESCAPE` clause; (b) `_SearchParam` continues to pass wildcards through. - [x] `prek run ruff` clean. - [x] `prek run mypy-airflow-core` clean. - [x] Full `test_parameters.py` suite: 43 passed. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Code (Opus 4.7) Generated-by: Claude Code (Opus 4.7) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
