Skip to content

Fix: Add path sanitization for api_environment to prevent path traversal#63708

Closed
K1nakoo wants to merge 4 commits into
apache:mainfrom
K1nakoo:K1nakoo-patch-2
Closed

Fix: Add path sanitization for api_environment to prevent path traversal#63708
K1nakoo wants to merge 4 commits into
apache:mainfrom
K1nakoo:K1nakoo-patch-2

Conversation

@K1nakoo

@K1nakoo K1nakoo commented Mar 16, 2026

Copy link
Copy Markdown

What does this PR do?

This PR introduces a strict regex validation for the api_environment variable (populated via CLI arguments or AIRFLOW_CLI_ENVIRONMENT) within the Credentials class of airflowctl.

Why is this needed?

Currently, the environment name is directly passed to os.path.join(default_config_dir, f"{self.api_environment}.json") without any sanitization.
While airflowctl is a client tool, it is frequently executed in automated CI/CD pipelines where the environment variable might be populated dynamically (e.g., from a Git branch name or GitHub Actions runner). If an untrusted input containing directory traversal sequences (like ../../../tmp/evil) is passed, it could unintentionally write .json files outside the target configuration directory, leading to potential CI pipeline configuration overrides.

This patch enforces a Defense-in-Depth approach, ensuring that only valid, safe alphanumeric names (including dashes, periods, and underscores) are processed, completely mitigating the risk of path traversal.

Testing done

  • Verified that valid environment names (e.g., production, dev.env-1) work as expected.
  • Verified that providing a traversal payload (e.g., ../evil) correctly raises a ValueError and halts execution before any file system operations occur.

Was generative AI tooling used to co-author this PR?
  • Yes (Gemini)

Generated-by: Gemini following the guidelines

K1nakoo added 3 commits March 16, 2026 11:23
…t to prevent path traversalnvironment name

Validate the API environment name to allow only alphanumeric characters, dashes, and underscores.
@K1nakoo K1nakoo changed the title K1nakoo patch 2 Fix: Add path sanitization for api_environment to prevent path traversal Mar 16, 2026

@Srabasti Srabasti left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line 165 needs double quotes " instead of single quotes ' causing static checks to fail.
Please run prek locally and then push changes from branch to repo @K1nakoo !!

@potiuk

potiuk commented Mar 17, 2026

Copy link
Copy Markdown
Member

@K1nakoo This PR has a few issues that need to be addressed before it can be reviewed — please see our Pull Request quality criteria.

Issues found:

  • Pre-commit / static checks: Failing: CI image checks / Static checks. Run prek run --from-ref main locally to find and fix issues. See Pre-commit / static checks docs.

Note: Your branch is 24 commits behind main. Some check failures may be caused by changes in the base branch rather than by your PR. Please rebase your branch and push again to get up-to-date CI results.

What to do next:

  • The comment informs you what you need to do.
  • Fix each issue, then mark the PR as "Ready for review" in the GitHub UI - but only after making sure that all the issues are fixed.
  • There is no rush — take your time and work at your own pace. We appreciate your contribution and are happy to wait for updates.
  • Maintainers will then proceed with a normal review.

There is no rush — take your time and work at your own pace. We appreciate your contribution and are happy to wait for updates. If you have questions, feel free to ask on the Airflow Slack.


Note: This comment was drafted by an AI-assisted triage tool and may contain mistakes. Once you have addressed the points above, an Apache Airflow maintainer — a real person — will take the next look at your PR. We use this two-stage triage process so that our maintainers' limited time is spent where it matters most: the conversation with you.

@SameerMesiah97 SameerMesiah97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not a bad idea but it is too strict, which risks breaking existing deployments. Also, there are no tests at all. At minimum, I think you should cover both valid and invalid inputs.

self.api_token = api_token
self.api_environment = os.getenv("AIRFLOW_CLI_ENVIRONMENT") or api_environment
raw_env = os.getenv("AIRFLOW_CLI_ENVIRONMENT") or api_environment
if not re.match(r'^[a-zA-Z0-9_.-]+$', raw_env):

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is too strict. What about existing valid api_environment values like 'team:prod', or 'prod v2'?Previously this accepted any string, but now it is limited to , so these would fail. Since this comes from CLI/env, this could break real usages.

Seems like it would be better to loosen restriction to only block / and ..

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please move your comment to the original PR? #63691

@bugraoz93

Copy link
Copy Markdown
Contributor

#63691 duplicate

@bugraoz93 bugraoz93 closed this Apr 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants