The GitHub Actions job "Tests" on airflow.git/f-008-collect-teams-fail-closed has succeeded. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 939cd7534d7a1354728af178ca66e558789a462c / Jarek Potiuk <[email protected]> Reject non-string dag_id / team_name from raw body before authz runs Extends #66504 with explicit type validation. The authorization dependencies in `_collect_teams_to_check` and `requires_access_backfill` read `team_name` / `dag_id` from the raw JSON body before Pydantic validation runs on the actual endpoint handler. If a body contains a non-string value (list, dict, integer, …) those values would otherwise flow into `Team.get_name_if_exists` / the authz callback / the existence lookup, producing undefined behaviour or type-confused authz decisions. Raise 400 on a non-string `team_name` / `dag_id` before any auth check runs. Tests parametrised on integer / list / dict / bool inputs assert the 400 + that the authz callback is never consulted. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-060). Report URL: https://github.com/apache/airflow/actions/runs/25504679145 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
