ashb commented on code in PR #67868: URL: https://github.com/apache/airflow/pull/67868#discussion_r3339189891
########## airflow-core/src/airflow/api_fastapi/core_api/datamodels/trigger.py: ########## @@ -17,21 +17,34 @@ from __future__ import annotations from datetime import datetime -from typing import Annotated +from typing import Annotated, Any from pydantic import BeforeValidator, ConfigDict +from airflow._shared.secrets_masker import redact from airflow.api_fastapi.core_api.base import BaseModel +def redact_kwargs(value: Any) -> str: + """ + Redact sensitive values from trigger kwargs before they are exposed via the API. + + Trigger kwargs may carry credential material (for example an API key handed to a + deferred operator). They are encrypted at rest, but this response decrypts them, so + sensitive keys are masked here for consistency with how connection extras, variables + and rendered fields are already redacted. + """ + return str(redact(value)) Review Comment: This will fundamentally break any trigger that gets caught by this. This is not merely display. It is changing the value that the Trigger class sees. You are trusting AI without understanding the problem domain -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
