Samin061 opened a new pull request, #69194: URL: https://github.com/apache/airflow/pull/69194
ImapHook writes each downloaded attachment under `local_output_directory`, but `_is_symlink` passed the bare attachment name to `os.path.islink`, so it inspected a path relative to the process working directory rather than the file that gets opened. A symlink planted at the real destination slipped past the check and the following `open(..., "wb")` wrote through it, so an attacker-controlled attachment name and payload could overwrite the link target. Resolve the destination with `_correct_path` before the symlink check so the file actually being written is the one inspected. --- ##### Was generative AI tooling used to co-author this PR? - [ ] Yes (please specify the tool below) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
