(airflow) branch main updated: Sanitize Username (#52419)

Sat, 28 Jun 2025 11:52:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/main by this push:
     new fb94109212b Sanitize Username (#52419)
fb94109212b is described below

commit fb94109212b53fb71e40f0378df861dcd98e67b3
Author: bu <[email protected]>
AuthorDate: Sat Jun 28 14:50:18 2025 -0400

    Sanitize Username (#52419)
    
    Escape user.username in flash banners to prevent potential HTML injection
---
 .../providers/fab/auth_manager/security_manager/override.py       | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
index 2a74e680b91..db260f7e9cf 100644
--- 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
+++ 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -62,7 +62,7 @@ from flask_babel import lazy_gettext
 from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
-from markupsafe import Markup
+from markupsafe import Markup, escape
 from sqlalchemy import func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import joinedload
@@ -547,8 +547,9 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             user_session_model = interface.sql_session_model
             num_sessions = session.query(user_session_model).count()
             if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
+                safe_username = escape(user.username)
                 self._cli_safe_flash(
-                    f"The old sessions for user {user.username} have 
<b>NOT</b> been deleted!<br>"
+                    f"The old sessions for user {safe_username} have 
<b>NOT</b> been deleted!<br>"
                     f"You have a lot ({num_sessions}) of user sessions in the 
'SESSIONS' table in "
                     f"your database.<br> "
                     "This indicates that this deployment might have an 
automated API calls that create "
@@ -565,9 +566,10 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                         session.delete(s)
                 session.commit()
         else:
+            safe_username = escape(user.username)
             self._cli_safe_flash(
                 "Since you are using `securecookie` session backend mechanism, 
we cannot prevent "
-                f"some old sessions for user {user.username} to be reused.<br> 
If you want to make sure "
+                f"some old sessions for user {safe_username} to be reused.<br> 
If you want to make sure "
                 "that the user is logged out from all sessions, you should 
consider using "
                 "`database` session backend mechanism.<br> You can also change 
the 'secret_key` "
                 "webserver configuration for all your webserver instances and 
restart the webserver. "

Reply via email to