The GitHub Actions job "Tests" on airflow.git/fix/db-shell-mysql-cnf-newline-injection has failed. Run started by GitHub user 1fanwang (triggered by 1fanwang).
Head commit for run: 42836df676597819ed6555a77efce4e797187f2a / 1fanwang <[email protected]> Strip CR/LF from MySQL URL query values before forwarding to my.cnf `_build_mysql_cnf` (introduced in #65575) forwards an allowlist of SQLAlchemy URL query keys (`ssl_ca`, `ssl_cert`, `ssl_key`, `ssl_cipher`, `ssl_mode`, `charset`) into the `[client]` section of the temporary my.cnf written by `airflow db shell`. The values are written without sanitization. SQLAlchemy's URL parser percent-decodes query values, so a `sql_alchemy_conn` containing `%0A` or `%0D` in any of those values would inject extra option lines into the `[client]` section, e.g. `?ssl_ca=/etc/ssl/ca.crt%0Amalicious=evil` becomes: ``` [client] ... ssl-ca = /etc/ssl/ca.crt malicious = evil ``` The password field already escapes via `_quote_mysql_password_for_cnf`; this closes the asymmetric defense-in-depth gap on the rest by stripping CR/LF in a small `_strip_newlines` helper applied to each forwarded value. Adds a regression test exercising both `%0A` and `%0D` in `ssl_ca`. Signed-off-by: 1fanwang <[email protected]> Report URL: https://github.com/apache/airflow/actions/runs/25296643418 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
