This is an automated email from the ASF dual-hosted git repository. ash pushed a commit to branch v2-0-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit cfeeb1474e74c8ccc08ebb5c9714c8772723b092 Author: Xiaodong DENG <[email protected]> AuthorDate: Thu Apr 1 23:02:28 2021 +0200 Fix password masking in CLI action_logging (#15143) Currently as long as argument '-p' if present, code tries to mask it. However, '-p' may mean something else (not password), like a boolean flag. Such cases may result in exception (cherry picked from commit 486b76438c0679682cf98cb88ed39c4b161cbcc8) --- airflow/utils/cli.py | 20 +++++++++++--------- tests/utils/test_cli_util.py | 10 ++++++++++ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/airflow/utils/cli.py b/airflow/utils/cli.py index 68a0b44..fc73dfc 100644 --- a/airflow/utils/cli.py +++ b/airflow/utils/cli.py @@ -110,17 +110,19 @@ def _build_metrics(func_name, namespace): """ from airflow.models import Log + sub_commands_to_check = {'users', 'connections'} sensitive_fields = {'-p', '--password', '--conn-password'} full_command = list(sys.argv) - for idx, command in enumerate(full_command): # pylint: disable=too-many-nested-blocks - if command in sensitive_fields: - # For cases when password is passed as "--password xyz" (with space between key and value) - full_command[idx + 1] = "*" * 8 - else: - # For cases when password is passed as "--password=xyz" (with '=' between key and value) - for sensitive_field in sensitive_fields: - if command.startswith(f'{sensitive_field}='): - full_command[idx] = f'{sensitive_field}={"*" * 8}' + if full_command[1] in sub_commands_to_check: # pylint: disable=too-many-nested-blocks + for idx, command in enumerate(full_command): + if command in sensitive_fields: + # For cases when password is passed as "--password xyz" (with space between key and value) + full_command[idx + 1] = "*" * 8 + else: + # For cases when password is passed as "--password=xyz" (with '=' between key and value) + for sensitive_field in sensitive_fields: + if command.startswith(f'{sensitive_field}='): + full_command[idx] = f'{sensitive_field}={"*" * 8}' metrics = { 'sub_command': func_name, diff --git a/tests/utils/test_cli_util.py b/tests/utils/test_cli_util.py index c567f44..6d88f66 100644 --- a/tests/utils/test_cli_util.py +++ b/tests/utils/test_cli_util.py @@ -112,9 +112,19 @@ class TestCliUtil(unittest.TestCase): "airflow connections add dsfs --conn-login asd --conn-password test --conn-type google", "airflow connections add dsfs --conn-login asd --conn-password ******** --conn-type google", ), + ( + "airflow scheduler -p", + "airflow scheduler -p", + ), + ( + "airflow celery flower -p 8888", + "airflow celery flower -p 8888", + ), ] ) def test_cli_create_user_supplied_password_is_masked(self, given_command, expected_masked_command): + # '-p' value which is not password, like 'airflow scheduler -p' + # or 'airflow celery flower -p 8888', should not be masked args = given_command.split() expected_command = expected_masked_command.split()
