Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize DagRun.run_id and allow flexibility #32293

Merged
merged 1 commit into from
Jul 2, 2023
Merged

Sanitize DagRun.run_id and allow flexibility #32293

merged 1 commit into from
Jul 2, 2023

Conversation

ephraimbuddy
Copy link
Contributor

This commit sanitizes the DagRun.run_id parameter by introducing a configurable option. Users now have the ability to select a specific run_id pattern for their runs, ensuring stricter control over the values used. This update does not impact the default run_id generation performed by the scheduler for scheduled DAG runs or for Dag runs triggered without modifying the run_id parameter in the run configuration page. The configuration flexibility empowers users to align the run_id pattern with their specific requirements.

@boring-cyborg boring-cyborg bot added the area:webserver Webserver related Issues label Jun 30, 2023
@ephraimbuddy ephraimbuddy force-pushed the sanitize-run-id branch 3 times, most recently from 736bffd to bf7d84b Compare July 1, 2023 00:56
potiuk
potiuk approved these changes Jul 1, 2023
View reviewed changes
Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@potiuk
Copy link
Member

potiuk commented Jul 1, 2023

The error should be fixed by #32307 . please reabase @ephraimbuddy

@ephraimbuddy
Sanitize DagRun.run_id and allow flexibility
155cfe3 
This commit sanitizes the DagRun.run_id parameter by introducing a configurable option.
Users now have the ability to select a specific run_id pattern for their runs,
ensuring stricter control over the values used. This update does not impact the default run_id
generation performed by the scheduler for scheduled DAG runs or for Dag runs triggered without
modifying the run_id parameter in the run configuration page.
The configuration flexibility empowers users to align the run_id pattern with their specific requirements.
@ephraimbuddy ephraimbuddy added this to the Airlfow 2.6.3 milestone Jul 2, 2023
@ephraimbuddy ephraimbuddy merged commit 05bd90f into apache:main Jul 2, 2023
42 checks passed
@ephraimbuddy ephraimbuddy deleted the sanitize-run-id branch July 2, 2023 11:31
@ephraimbuddy ephraimbuddy added the type:bug-fix Changelog: Bug Fixes label Jul 6, 2023
ephraimbuddy added a commit that referenced this pull request Jul 6, 2023
@ephraimbuddy
Sanitize DagRun.run_id and allow flexibility (#32293)
8ff7dfb 
This commit sanitizes the DagRun.run_id parameter by introducing a configurable option.
Users now have the ability to select a specific run_id pattern for their runs,
ensuring stricter control over the values used. This update does not impact the default run_id
generation performed by the scheduler for scheduled DAG runs or for Dag runs triggered without
modifying the run_id parameter in the run configuration page.
The configuration flexibility empowers users to align the run_id pattern with their specific requirements.

(cherry picked from commit 05bd90f)
This was referenced Jul 7, 2023
Closed
Merged
@rickyzhang82
Copy link

@ephraimbuddy

It is unclear to me how DAG RUN ID could exploit illegal file access, given the limited information from CVE-2023-22887.

But rather than fixing the root cause, we impose a default regex pattern check allowed_run_id_pattern = ^[A-Za-z0-9_.~:+-]+$.

How can we guarantee that the string from this pattern won't generate any malicious code? Shouldn't we address the root cause instead? We don't fix the SQL injection by limiting the string from users with regex. We validate the SQL string with prepared statements. Regex itself is not a validation but a restriction.

@abhishekbhakat abhishekbhakat mentioned this pull request Jan 18, 2024
Closed
2 tasks
ephraimbuddy added a commit to astronomer/airflow that referenced this pull request Jan 18, 2024
@ephraimbuddy
Fix bug introduced by replacing spaces by + in run_id
19ffaff 
While working on sanitizing the run_id(apache#32293), I replaced spaces with +
which is not an ideal way to quote a URL. This led to issues when users
use spaces in their DAG run_id.
This commit fixes the issue by using urllib.parse.quote to properly quote
the URL.
@ephraimbuddy ephraimbuddy mentioned this pull request Jan 18, 2024
Merged
ephraimbuddy added a commit that referenced this pull request Jan 18, 2024
@ephraimbuddy
Fix bug introduced by replacing spaces by + in run_id (#36877)
ec8fab5 
While working on sanitizing the run_id(#32293), I replaced spaces with +
which is not an ideal way to quote a URL. This led to issues when users
use spaces in their DAG run_id.
This commit fixes the issue by using urllib.parse.quote to properly quote
the URL.
jedcunningham pushed a commit that referenced this pull request Feb 9, 2024
@ephraimbuddy @jedcunningham
Fix bug introduced by replacing spaces by + in run_id (#36877)
83d630c 
While working on sanitizing the run_id(#32293), I replaced spaces with +
which is not an ideal way to quote a URL. This led to issues when users
use spaces in their DAG run_id.
This commit fixes the issue by using urllib.parse.quote to properly quote
the URL.

(cherry picked from commit ec8fab5)
ephraimbuddy added a commit that referenced this pull request Feb 22, 2024
@ephraimbuddy
Fix bug introduced by replacing spaces by + in run_id (#36877)
a2d6e6e 
While working on sanitizing the run_id(#32293), I replaced spaces with +
which is not an ideal way to quote a URL. This led to issues when users
use spaces in their DAG run_id.
This commit fixes the issue by using urllib.parse.quote to properly quote
the URL.

(cherry picked from commit ec8fab5)
abhishekbhakat pushed a commit to abhishekbhakat/my_airflow that referenced this pull request Mar 5, 2024
@ephraimbuddy @abhishekbhakat
Fix bug introduced by replacing spaces by + in run_id (apache#36877)
c8dd690 
While working on sanitizing the run_id(apache#32293), I replaced spaces with +
which is not an ideal way to quote a URL. This led to issues when users
use spaces in their DAG run_id.
This commit fixes the issue by using urllib.parse.quote to properly quote
the URL.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

@XD-DENG XD-DENG Awaiting requested review from XD-DENG XD-DENG is a code owner

Assignees
No one assigned
Labels
area:webserver Webserver related Issues type:bug-fix Changelog: Bug Fixes
Projects
None yet
Milestone
Airflow 2.6.3
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ephraimbuddy @potiuk @rickyzhang82