[GitHub] [airflow] Taragolis commented on a diff in pull request #26162: DockerHook: obtain credentials and login to Amazon ECR

Tue, 06 Sep 2022 06:54:03 -0700 


Taragolis commented on code in PR #26162:
URL: https://github.com/apache/airflow/pull/26162#discussion_r963737962


##########
airflow/providers/docker/hooks/docker.py:
##########
@@ -66,46 +81,51 @@ def __init__(
 
         if not docker_conn_id:
             raise AirflowException('No Docker connection id provided')
-
-        conn = self.get_connection(docker_conn_id)
-
-        if not conn.host:
-            raise AirflowException('No Docker URL provided')
-        if not conn.login:
-            raise AirflowException('No username provided')
-        extra_options = conn.extra_dejson
-
+        self.docker_conn_id = docker_conn_id
         self.__base_url = base_url
         self.__version = version
         self.__tls = tls
         self.__timeout = timeout
-        if conn.port:
-            self.__registry = f"{conn.host}:{conn.port}"
-        else:
-            self.__registry = conn.host
-        self.__username = conn.login
-        self.__password = conn.password
-        self.__email = extra_options.get('email')
-        self.__reauth = extra_options.get('reauth') != 'no'
 
-    def get_conn(self) -> APIClient:
+    @cached_property
+    def api_client(self) -> APIClient:
+        """Create connection to docker host and login to the docker 
registries. (cached)"""
+        conn = self.get_connection(self.docker_conn_id)
         client = APIClient(
             base_url=self.__base_url, version=self.__version, tls=self.__tls, 
timeout=self.__timeout
         )
-        self.__login(client)
+
+        credential_helper = conn.extra_dejson.get("credential_helper")
+        if not credential_helper:
+            # If not specified credential helper than retrieve information 
from Connection.
+            credential_helper = AirflowConnectionDockerCredentialHelper
+            credential_helper_kwargs = {}
+        else:
+            credential_helper = import_string(credential_helper)

Review Comment:
   I mean most possible attack it is the fact that both `import_string` or 
`import` load module first.
   
   Some sample
   
   ```python
   # airflow.providers.exploit.hooks.some_db_api
   
   def unsafe_code():
       """Grab fernet key from configs, nudes, decode, send to someone and post 
on Twitter."""
       ...
   
   unsafe_code()
   
   class SomeDbApiHook(DbApiHook):
       conn_type = "awesome_conn_type"
       ...
   
   ```
   
   So it would be the same if user call
   1. `from airflow.providers.exploit.hooks.some_db_api import  SomeDbApiHook`
   2. 
`import_string("airflow.providers.exploit.hooks.some_db_api.SomeDbApiHook")`
   3. Or use airflow.providers.slack.transfers.sql_to_slack.SqlToSlackOperator 
in Airflow < 2.3 with connection type referenced to `awesome_conn_type`
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to