potiuk commented on issue #38836: URL: https://github.com/apache/airflow/issues/38836#issuecomment-2077941191
> I'm curious if that was really necessary or we could have just not passed sensitive info and relied on the connection object etc. See https://nvd.nist.gov/vuln/detail/CVE-2023-51702 has all details of what happened in the past (including PR fixing it). And yes - it's been fixed by passing a reference to configuration rather than dictionary of configuration. During the discussion in the security team we agreed that this is not at all obvious for those who create Triggers - including 3rd-party triggers, because they might not be aware that database might keep sensitive information. Indeed. It's not necessary, but it prevents a number of security issues - including those that users might add in their code accidentally. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
