Skip to content

Reserve /auth and /pluginsv2 from plugin url_prefix#66501

Merged
vincbeck merged 1 commit intoapache:mainfrom
potiuk:f-009-reserve-auth-pluginsv2
May 7, 2026
Merged

Reserve /auth and /pluginsv2 from plugin url_prefix#66501
vincbeck merged 1 commit intoapache:mainfrom
potiuk:f-009-reserve-auth-pluginsv2

Conversation

@potiuk
Copy link
Copy Markdown
Member

@potiuk potiuk commented May 7, 2026
edited
Loading

The framework mounts the auth-manager subapp under /auth and the FAB plugin shim under /pluginsv2, but RESERVED_URL_PREFIXES only listed /api/v2, /ui, and /execution. A trusted plugin attempting to mount under either of the missing prefixes was accepted and (because plugin init runs before the auth-manager mount) would shadow the auth routes.

Plugins are trusted code per Airflow's security model so this is defense-in-depth, not a vulnerability — but accidental collisions with the auth-manager / Flask-plugins mount points should be caught and logged like the other reserved prefixes.

Was generative AI tooling used to co-author this PR?
  • Yes — Claude Opus 4.7 (1M context)

Generated-by: Claude Opus 4.7 (1M context) following the guidelines

@boring-cyborg boring-cyborg Bot added the area:API Airflow's REST/HTTP API label May 7, 2026
@potiuk potiuk mentioned this pull request May 7, 2026
Open
@potiuk
Reserve /auth and /pluginsv2 from plugin url_prefix
f054156 
The framework mounts the auth-manager subapp under /auth and the FAB
plugin shim under /pluginsv2, but RESERVED_URL_PREFIXES only listed
/api/v2, /ui, and /execution. A trusted plugin attempting to mount under
either of the missing prefixes was accepted and (because plugin init runs
before the auth-manager mount) would shadow the auth routes.

Plugins are trusted code per Airflow's security model so this is
defense-in-depth, not a vulnerability — but accidental collisions with
the auth-manager / Flask-plugins mount points should be caught and
logged like the other reserved prefixes.
@potiuk potiuk force-pushed the f-009-reserve-auth-pluginsv2 branch from ff3c089 to f054156 Compare May 7, 2026 02:20
vincbeck
vincbeck approved these changes May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vincbeck vincbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@vincbeck vincbeck merged commit 1100afb into apache:main May 7, 2026
143 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vincbeck vincbeck vincbeck approved these changes

@ephraimbuddy ephraimbuddy Awaiting requested review from ephraimbuddy ephraimbuddy is a code owner

@pierrejeambrun pierrejeambrun Awaiting requested review from pierrejeambrun pierrejeambrun is a code owner

@rawwar rawwar Awaiting requested review from rawwar rawwar is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496 jason810496 is a code owner

@bugraoz93 bugraoz93 Awaiting requested review from bugraoz93 bugraoz93 is a code owner

@shubhamraj-git shubhamraj-git Awaiting requested review from shubhamraj-git shubhamraj-git is a code owner

@choo121600 choo121600 Awaiting requested review from choo121600 choo121600 is a code owner

Assignees

No one assigned

Labels

area:API Airflow's REST/HTTP API

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @vincbeck