hussein-awala commented on code in PR #64610:
URL: https://github.com/apache/airflow/pull/64610#discussion_r3540069178


##########
airflow-core/src/airflow/config_templates/config.yml:
##########
@@ -1635,6 +1635,39 @@ api:
       type: boolean
       example: ~
       default: "True"
+    enable_regexp_query_filters:
+      description: |
+        Whether to enable regular-expression based query filters in the API. 
Currently this
+        controls the ``partition_key_pattern`` filter on ``GET 
/assets/events`` and on the
+        Execution API asset-event endpoints.
+
+        Disabled by default for security reasons. When enabled, a 
user-supplied regular
+        expression is passed to the database's own regex engine, which is a 
Regular expression
+        Denial of Service (ReDoS) vector: a crafted pattern can force the 
engine into
+        pathological backtracking and consume database backend CPU. Only 
enable this if you
+        accept that trade-off, and keep ``regexp_query_timeout`` set to a 
sensible value.
+
+        Exact-match ``partition_key`` filtering is always available and is not 
affected by this
+        setting.
+      version_added: 3.4.0
+      type: boolean
+      example: ~
+      default: "False"
+    regexp_query_timeout:
+      description: |
+        Maximum time, in seconds, that a query using a regular-expression 
filter (see
+        ``enable_regexp_query_filters``) is allowed to run.
+
+        This is the primary runtime mitigation for the ReDoS risk described 
above: on PostgreSQL
+        it is enforced as a transaction-local ``statement_timeout`` so that a 
pathological
+        pattern is aborted instead of pinning a database backend (PostgreSQL 
has no built-in
+        regex step limit, unlike MySQL's ``regexp_time_limit``). Keep it as 
low as your
+        legitimate queries allow. A value of ``0`` disables the timeout, which 
is not
+        recommended while the feature is enabled.
+      version_added: 3.4.0

Review Comment:
   Good call! Merged them into a single `[api] regexp_query_timeout`. `0` (the 
default) disables regexp filtering entirely, any positive value enables it and 
bounds the query runtime.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to