rickyzhang82 commented on PR #32293: URL: https://github.com/apache/airflow/pull/32293#issuecomment-1633002304
@ephraimbuddy It is unclear to me how DAG RUN ID could exploit illegal file access, given the limited information from [CVE-2023-22887](https://nvd.nist.gov/vuln/detail/CVE-2023-22887). But rather than fixing the root cause, we impose a default regex pattern check `allowed_run_id_pattern = ^[A-Za-z0-9_.~:+-]+$`. How can we guarantee that the string from this pattern won't generate any malicious code? Shouldn't we address the root cause instead? We don't fix the SQL injection by limiting the string from users with regex. We validate the SQL string with prepared statements. Regex itself is not a validation but a restriction. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
