hussein-awala commented on code in PR #64610:
URL: https://github.com/apache/airflow/pull/64610#discussion_r3539958730
##########
airflow-core/src/airflow/config_templates/config.yml:
##########
@@ -1635,6 +1635,39 @@ api:
type: boolean
example: ~
default: "True"
+ enable_regexp_query_filters:
+ description: |
+ Whether to enable regular-expression based query filters in the API.
Currently this
+ controls the ``partition_key_pattern`` filter on ``GET
/assets/events`` and on the
+ Execution API asset-event endpoints.
+
+ Disabled by default for security reasons. When enabled, a
user-supplied regular
+ expression is passed to the database's own regex engine, which is a
Regular expression
+ Denial of Service (ReDoS) vector: a crafted pattern can force the
engine into
+ pathological backtracking and consume database backend CPU. Only
enable this if you
+ accept that trade-off, and keep ``regexp_query_timeout`` set to a
sensible value.
Review Comment:
Reworded along those lines: "When enabled, it allows additional filtering
features that require database-side regexp matching, such as the
`partition_key_regexp_pattern` filter…", with the ReDoS rationale kept as the
reason it's off by default.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]