Don't crash attempting to mask secrets in dict with non-string keys (a…

…pache#16601) (cherry picked from commit 18cb0bb) (cherry picked from commit 6af516b) (cherry picked from commit a1f3daf)
astronomer · Jun 23, 2021 · bc82a23 · bc82a23
1 parent d3c5f8e
commit bc82a23
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/airflow/utils/log/secrets_masker.py b/airflow/utils/log/secrets_masker.py
@@ -72,7 +72,7 @@ def should_hide_value_for_key(name):
     """Should the value for this given name (Variable name, or key in conn.extra_dejson) be hidden"""
     from airflow import settings
 
-    if name and settings.HIDE_SENSITIVE_VAR_CONN_FIELDS:
+    if isinstance(name, str) and settings.HIDE_SENSITIVE_VAR_CONN_FIELDS:
         name = name.strip().lower()
         return any(s in name for s in get_sensitive_variables_fields())
     return False

diff --git a/tests/utils/log/test_secrets_masker.py b/tests/utils/log/test_secrets_masker.py
@@ -180,6 +180,8 @@ def test_mask_secret(self, name, value, expected_mask):
             ({"secret", "other"}, None, ["secret", "other"], ["***", "***"]),
             # We don't mask dict _keys_.
             ({"secret", "other"}, None, {"data": {"secret": "secret"}}, {"data": {"secret": "***"}}),
+            # Non string dict keys
+            ({"secret", "other"}, None, {1: {"secret": "secret"}}, {1: {"secret": "***"}}),
             (
                 # Since this is a sensitve name, all the values should be redacted!
                 {"secret"},
@@ -214,6 +216,7 @@ class TestShouldHideValueForKey:
             ("google_api_key", True),
             ("GOOGLE_API_KEY", True),
             ("GOOGLE_APIKEY", True),
+            (1, False),
         ],
     )
     def test_hiding_defaults(self, key, expected_result):