ZuhairORZaki commented on PR #36469: URL: https://github.com/apache/airflow/pull/36469#issuecomment-1871496890
> In addition, the is no possible to create DAG ID with this `<img src='x' onerror='alert(1)'>` name because it would failed on validation > > https://github.com/apache/airflow/blob/e9ba37bb58da0e3d6739ec063f7160f50487d3b8/airflow/utils/helpers.py#L50-L60 > > And original regex a bit a different rather than in this PR > > https://github.com/apache/airflow/blob/e9ba37bb58da0e3d6739ec063f7160f50487d3b8/airflow/utils/helpers.py#L42 > > So it also have a chance that change proposed by this PR rather than fix something just breaks someone pipeline `^[\w.-]+$` matches alphanumeric characters, dashes, dots and underscores. `\w` is short for `a-zA-Z0-9_`. `^a-zA-Z0-9_\-` matches everything except alphanumeric characters, dash and underscore in order to filter them out. So `.` is missing from the PR regex as I wasn't aware dots were also allowed. Thank you for pointing that out. It can be added but if `validate_key` is invoked in the pipeline prior to the request being processed then there is no need to further sanitize `dag_id`. If that is indeed the case can you describe where in the pipeline `validate_key` is called on the request parameters so that we can better identify such cases in future and not report them needlessly. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
