Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check for DAG ID in query param from url as well as kwargs #32014

Merged
merged 1 commit into from Jun 20, 2023
Merged

Check for DAG ID in query param from url as well as kwargs #32014

merged 1 commit into from Jun 20, 2023

Conversation

o-nikolas
Copy link
Contributor

Previously the dag id was only being checked in request args and form but not kwargs, so it was possible for the id when passed as kwargs to be None. This can allow auth for a user who does not have the permissions to view a particular DAG.

^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

@o-nikolas
Check for DAG ID in query param from url as well as kwargs
b7b5c7e 
Previously the dag id was only being checked in request args and form
but not kwargs, so it was possible for the id when passed as kwargs
to be None. This can allow auth for a user who does not have the
permissions to view a particular DAG.
@boring-cyborg boring-cyborg bot added the area:webserver Webserver related Issues label Jun 20, 2023
@potiuk
Copy link
Member

potiuk commented Jun 20, 2023

Nice one!

tirkarthi
tirkarthi approved these changes Jun 20, 2023
View reviewed changes
Copy link
Contributor

@tirkarthi tirkarthi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @o-nikolas .

@o-nikolas o-nikolas merged commit ac65b82 into apache:main Jun 20, 2023
42 checks passed
@potiuk potiuk added this to the Airlfow 2.6.3 milestone Jun 20, 2023
@ephraimbuddy ephraimbuddy added the type:bug-fix Changelog: Bug Fixes label Jul 6, 2023
ephraimbuddy pushed a commit that referenced this pull request Jul 6, 2023
@o-nikolas @ephraimbuddy
Check for DAG ID in query param from url as well as kwargs (#32014)
c78e165 
Previously the dag id was only being checked in request args and form
but not kwargs, so it was possible for the id when passed as kwargs
to be None. This can allow auth for a user who does not have the
permissions to view a particular DAG.

(cherry picked from commit ac65b82)
@ephraimbuddy ephraimbuddy mentioned this pull request Jul 7, 2023
Closed
53 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

@uranusjr uranusjr uranusjr approved these changes

@tirkarthi tirkarthi tirkarthi approved these changes

@pankajkoti pankajkoti pankajkoti approved these changes

@phanikumv phanikumv phanikumv approved these changes

@ryanahamilton ryanahamilton Awaiting requested review from ryanahamilton ryanahamilton is a code owner

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@bbovenzi bbovenzi Awaiting requested review from bbovenzi bbovenzi is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

Assignees
No one assigned
Labels
area:webserver Webserver related Issues type:bug-fix Changelog: Bug Fixes
Projects
None yet
Milestone
Airflow 2.6.3
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@o-nikolas @potiuk @uranusjr @tirkarthi @pankajkoti @phanikumv @ephraimbuddy