amarlearning commented on code in PR #48194:
URL: https://github.com/apache/airflow/pull/48194#discussion_r2018266466
##########
task-sdk/src/airflow/sdk/execution_time/secrets_masker.py:
##########
@@ -345,7 +345,10 @@ def add_mask(self, secret: str | dict | Iterable, name:
str | None = None):
new_mask = True
if new_mask:
- self.replacer = re.compile("|".join(self.patterns))
+ # Match pattern followed by either end of string or
non-alphanumeric character
+ # This prevents matching substrings within words while
handling special characters
+ pattern = r"\b(" + "|".join(self.patterns) +
r")(?=$|[^a-zA-Z0-9])"
+ self.replacer = re.compile(pattern)
Review Comment:
Why was the original implementation using partial matching (where any
occurrence of a sensitive value would be masked, even as a substring) instead
of word boundary matching?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
