The GitHub Actions job "Tests (AMD)" on airflow.git/fix-bulk-overwrite-team-authz has succeeded. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: 663507738bb1f062881d45a9dbdbe0179f34c43e / Jarek Potiuk <[email protected]> Fix bulk CREATE+OVERWRITE team-context authz bypass When a bulk request used `action_on_existence=overwrite` against a resource that already belonged to a team, the PUT-method authz check added for the overwrite case ran with `team_name=None` because the existing-resource team lookup explicitly excluded CREATE entities. This allowed a user not belonging to a given team to overwrite that team's pool / connection / variable through the bulk API, bypassing the per-team membership check the single-item PUT endpoint enforces. Multi-team (`[core] multi_team`) is documented as experimental and does not provide task-level isolation guarantees, so this is a defense-in- depth fix on an experimental surface rather than a CVE-class issue, but the bulk path should match single-item PUT authz behaviour regardless. Include CREATE+OVERWRITE entities in the existing-team lookup so the PUT check sees the actual team that owns the target resource. Report URL: https://github.com/apache/airflow/actions/runs/26417905236 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
