potiuk opened a new pull request, #67985:
URL: https://github.com/apache/airflow/pull/67985
`SFTPHook.retrieve_directory` and `retrieve_directory_concurrently` build
each
local destination path by joining the local directory with a path derived
from
directory-entry names returned by the remote SFTP server. Because those names
can contain `..` components, the recursive download could write outside the
configured local destination directory.
This adds a containment check (`_validate_within_directory`) that resolves
each
computed local path and refuses to write when it falls outside the
destination
directory, applied to both the serial and concurrent retrieval paths.
### Tests
- [x] Unit test for the containment helper (in-bounds passes, escape
rejected)
- [x] Unit test that `retrieve_directory` raises when `get_tree_map` yields a
traversing entry, and nothing is written outside the destination
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.8 (1M context)
Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
