Fix bulk task instance rbac bypass#64288
Merged
gopidesupavan merged 5 commits intoapache:mainfrom Apr 4, 2026
Merged
Conversation
gopidesupavan
requested review from
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
Member
Author
|
found by codex.. |
Member
|
Looks promising let me know when this is ready for a review. (out of draft) |
gopidesupavan
force-pushed
the
fix-bulk-task-instance-rbac-bypass
branch
2 times, most recently
from
ff4ba52 to
284b909
Compare
Member
Author
yeah its now ready :) |
Contributor
There was a problem hiding this comment.
Pull request overview
Addresses a cross-DAG RBAC bypass in the wildcard bulk task instance endpoint (/dags/~/dagRuns/~/taskInstances) by adding per-entity DAG authorization checks when DAG identifiers are supplied via the request body.
Changes:
- Add per-entity DAG authorization in
BulkTaskInstanceService._categorize_entities()usingget_auth_manager().is_authorized_dag(...), with a per-request cache keyed bydag_id. - Update service unit tests to patch DAG team lookup/auth manager calls to accommodate the new authorization behavior.
- Add a route-level regression test to ensure unauthorized DAG IDs in the request body are rejected when using wildcard path params.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
airflow-core/src/airflow/api_fastapi/core_api/services/public/task_instances.py |
Adds per-entity DAG authorization inside bulk entity categorization to prevent cross-DAG bulk updates/deletes via wildcard paths. |
airflow-core/tests/unit/api_fastapi/core_api/services/public/test_task_instances.py |
Updates _categorize_entities unit test to patch team lookup and auth manager authorization calls. |
airflow-core/tests/unit/api_fastapi/core_api/routes/public/test_task_instances.py |
Adds a regression test ensuring wildcard bulk requests reject unauthorized DAG IDs supplied in the body; adds DB cleanup for teams/runs. |
airflow-core/src/airflow/api_fastapi/core_api/services/public/task_instances.py
Show resolved
Hide resolved
airflow-core/tests/unit/api_fastapi/core_api/routes/public/test_task_instances.py
Show resolved
Hide resolved
airflow-core/tests/unit/api_fastapi/core_api/services/public/test_task_instances.py
Outdated
Show resolved
Hide resolved
gopidesupavan
force-pushed
the
fix-bulk-task-instance-rbac-bypass
branch
2 times, most recently
from
52aaad8 to
2753777
Compare
gopidesupavan
force-pushed
the
fix-bulk-task-instance-rbac-bypass
branch
from
2753777 to
675753d
Compare
gopidesupavan
force-pushed
the
fix-bulk-task-instance-rbac-bypass
branch
from
675753d to
8fbafdc
Compare
Contributor
|
Nice!!! Thanks for the patch @gopidesupavan |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The wildcard bulk task instance endpoint accepted dag_id="~" in the path and then processed dag_id / dag_run_id values supplied in the request body without re-validating access for each referenced DAG. That created a cross-DAG RBAC issue where a caller could attempt to modify task instances outside the DAGs they were authorized to access.
What
BulkTaskInstanceService._categorize_entities now performs per-entity DAG authorization by calling get_auth_manager().is_authorized_dag(...) with DagDetails(id=<dag_id>, team_name=<team_name>).
Was generative AI tooling used to co-author this PR?
{pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.