Skip to content

[v3-2-test] Check sensitive key names before applying recursion-depth cutoff in secrets masker (#65912)#66748

Merged
potiuk merged 1 commit into
v3-2-testfrom
backport-354391b-v3-2-test
May 13, 2026
Merged

[v3-2-test] Check sensitive key names before applying recursion-depth cutoff in secrets masker (#65912)#66748
potiuk merged 1 commit into
v3-2-testfrom
backport-354391b-v3-2-test

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented May 12, 2026

SecretsMasker._redact short-circuited on depth > max_depth before
checking whether the current key name was sensitive
(should_hide_value_for_key(name)). For sensitive keys nested beyond
the recursion depth (default 5), the original value was returned
unchanged instead of being replaced with ***.

Move the depth cutoff inside the try: block, after the
sensitive-key check, and let dict traversal continue past the cutoff
so deeper sensitive keys are still caught. Non-dict containers and
the string-pattern masker keep the depth-bounded behavior the cutoff
was added for. JSON-loaded payloads cannot be self-referential, and
any in-memory cycle hits Python's own recursion limit and falls
through the existing exception handler to "",
which preserves the fail-closed property.
(cherry picked from commit 354391b)

Co-authored-by: Jarek Potiuk jarek@potiuk.com
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions

@potiuk
[v3-2-test] Check sensitive key names before applying recursion-depth…
81c2ea9 
… cutoff in secrets masker (#65912)

`SecretsMasker._redact` short-circuited on `depth > max_depth` before
checking whether the current key name was sensitive
(`should_hide_value_for_key(name)`). For sensitive keys nested beyond
the recursion depth (default 5), the original value was returned
unchanged instead of being replaced with `***`.

Move the depth cutoff inside the `try:` block, after the
sensitive-key check, and let dict traversal continue past the cutoff
so deeper sensitive keys are still caught. Non-dict containers and
the string-pattern masker keep the depth-bounded behavior the cutoff
was added for. JSON-loaded payloads cannot be self-referential, and
any in-memory cycle hits Python's own recursion limit and falls
through the existing exception handler to "<redaction-failed>",
which preserves the fail-closed property.
(cherry picked from commit 354391b)

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
@github-actions github-actions Bot mentioned this pull request May 12, 2026
Merged
7 tasks
@vatsrahul1001 vatsrahul1001 marked this pull request as ready for review May 13, 2026 13:03
@potiuk potiuk merged commit b5f0ec6 into v3-2-test May 13, 2026
71 checks passed
@potiuk potiuk deleted the backport-354391b-v3-2-test branch May 13, 2026 18:50
@vatsrahul1001 vatsrahul1001 added this to the Airflow 3.2.2 milestone May 15, 2026
@vatsrahul1001 vatsrahul1001 added the type:misc/internal Changelog: Misc changes that should appear in change log label May 18, 2026
vatsrahul1001 pushed a commit that referenced this pull request May 20, 2026
@github-actions @potiuk @vatsrahul1001
[v3-2-test] Check sensitive key names before applying recursion-depth…
2f7dcbe 
… cutoff in secrets masker (#65912) (#66748)

`SecretsMasker._redact` short-circuited on `depth > max_depth` before
checking whether the current key name was sensitive
(`should_hide_value_for_key(name)`). For sensitive keys nested beyond
the recursion depth (default 5), the original value was returned
unchanged instead of being replaced with `***`.

Move the depth cutoff inside the `try:` block, after the
sensitive-key check, and let dict traversal continue past the cutoff
so deeper sensitive keys are still caught. Non-dict containers and
the string-pattern masker keep the depth-bounded behavior the cutoff
was added for. JSON-loaded payloads cannot be self-referential, and
any in-memory cycle hits Python's own recursion limit and falls
through the existing exception handler to "<redaction-failed>",
which preserves the fail-closed property.
(cherry picked from commit 354391b)


Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions

Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
@vatsrahul1001 vatsrahul1001 mentioned this pull request May 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@amoghrajesh amoghrajesh Awaiting requested review from amoghrajesh amoghrajesh is a code owner

@potiuk potiuk Awaiting requested review from potiuk potiuk is a code owner

Assignees

No one assigned

Labels

type:misc/internal Changelog: Misc changes that should appear in change log

Projects

None yet

Milestone

Airflow 3.2.2

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @vatsrahul1001