Skip to content

Quote file paths in Teradata TPT shell commands and pass the openssl passphrase via stdin#69380

Open
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:harden-teradata-tpt-shell-quoting
Open

Quote file paths in Teradata TPT shell commands and pass the openssl passphrase via stdin#69380
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:harden-teradata-tpt-shell-quoting

Conversation

@potiuk

@potiuk potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member

The Teradata provider's tpt_util.py and encryption_utils.py build several
shell commands (run locally or over SSH) that interpolate file paths directly,
and pass the openssl passphrase on the command line.

This hardens both:

  • Quote interpolated file paths with shlex.quote() in the POSIX shell
    commands (shred, the dd/rm fallback, chmod, which, and the
    openssl … -in/-out paths), so paths containing spaces or shell
    metacharacters are handled correctly and cannot alter the command.
  • Feed the openssl passphrase on stdin (-pass stdin) for the local
    generate_encrypted_file_with_openssl instead of -pass pass:<…>, so it is
    not exposed in the local host's process list.

Windows command branches and the remote SSH openssl -pass pass: path are left
unchanged (POSIX shlex.quote does not apply to cmd.exe, and moving the
passphrase off argv over the SSH channel would require reworking the shared
remote-exec helper — a larger change).

Tests

  • existing command-string assertions still pass (metacharacter-free paths
    are unchanged by shlex.quote)
  • new: shred / chmod commands quote paths with spaces / metacharacters
  • new: the openssl passphrase is fed on stdin and never appears on argv
Was generative AI tooling used to co-author this PR?
  • Yes — Claude Opus 4.8 (1M context)

Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions

…passphrase via stdin

The Teradata provider's tpt_util.py and encryption_utils.py build several shell
commands (run locally or over SSH) that interpolate file paths directly, and
pass the openssl passphrase on the command line.

Quote the interpolated file paths with shlex.quote() in the POSIX shell commands
(shred, the dd/rm fallback, chmod, which, and the openssl -in/-out paths) so
paths containing spaces or shell metacharacters are handled correctly, and feed
the openssl passphrase on stdin (-pass stdin) for the local
generate_encrypted_file_with_openssl so it is not exposed in the local host's
process list.

Windows command branches and the remote SSH openssl -pass pass: path are left
unchanged.

Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant