From c78687c82da9d1f5254fbb7c44b099e9a4a17f16 Mon Sep 17 00:00:00 2001 From: K1nako <105909793+K1nakoo@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:23:10 +0800 Subject: [PATCH 1/2] Add validation for API eFix: Add path sanitization for api_environment to prevent path traversalnvironment name Validate the API environment name to allow only alphanumeric characters, dashes, and underscores. --- airflow-ctl/src/airflowctl/api/client.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/airflow-ctl/src/airflowctl/api/client.py b/airflow-ctl/src/airflowctl/api/client.py index 0ef5d7cb16441..01c8a0ea6348b 100644 --- a/airflow-ctl/src/airflowctl/api/client.py +++ b/airflow-ctl/src/airflowctl/api/client.py @@ -22,6 +22,7 @@ import getpass import json import logging +import re import os import sys from collections.abc import Callable @@ -160,7 +161,13 @@ def __init__( ): self.api_url = api_url self.api_token = api_token - self.api_environment = os.getenv("AIRFLOW_CLI_ENVIRONMENT") or api_environment + raw_env = os.getenv("AIRFLOW_CLI_ENVIRONMENT") or api_environment + if not re.match(r'^[a-zA-Z0-9_.-]+$', raw_env): + raise ValueError( + f"Invalid environment name: '{raw_env}'. " + "Only alphanumeric characters, dashes, and underscores are allowed." + ) + self.api_environment = raw_env self.client_kind = client_kind @property From ea987f5713e8c1561b5c0f71c6f5b1d9f2335c0f Mon Sep 17 00:00:00 2001 From: K1nako <105909793+K1nakoo@users.noreply.github.com> Date: Mon, 16 Mar 2026 18:03:38 +0800 Subject: [PATCH 2/2] Reorder import statements in client.py --- airflow-ctl/src/airflowctl/api/client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airflow-ctl/src/airflowctl/api/client.py b/airflow-ctl/src/airflowctl/api/client.py index 01c8a0ea6348b..e8eb87e7d54e7 100644 --- a/airflow-ctl/src/airflowctl/api/client.py +++ b/airflow-ctl/src/airflowctl/api/client.py @@ -22,8 +22,8 @@ import getpass import json import logging -import re import os +import re import sys from collections.abc import Callable from functools import wraps