(airflow) branch v3-0-test updated: [v3-0-test] Sanitize Username (#52419) (#52421)

[potiuk]

This is an automated email from the ASF dual-hosted git repository.

potiuk pushed a commit to branch v3-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/v3-0-test by this push:
     new 012bfb517f7 [v3-0-test] Sanitize Username (#52419) (#52421)
012bfb517f7 is described below

commit 012bfb517f78b28fe4a03660a54de4ea87e26d59
Author: github-actions[bot] 
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Sat Jun 28 20:51:32 2025 +0200

    [v3-0-test] Sanitize Username (#52419) (#52421)
    
    Escape user.username in flash banners to prevent potential HTML injection
    (cherry picked from commit fb94109212b53fb71e40f0378df861dcd98e67b3)
    
    Co-authored-by: bu <69127692+sch...@users.noreply.github.com>
---
 .../providers/fab/auth_manager/security_manager/override.py       | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
index 7cb4377a956..5f1653db990 100644
--- 
a/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
+++ 
b/providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py
@@ -61,7 +61,7 @@ from flask_babel import lazy_gettext
 from flask_jwt_extended import JWTManager
 from flask_login import LoginManager
 from itsdangerous import want_bytes
-from markupsafe import Markup
+from markupsafe import Markup, escape
 from sqlalchemy import func, inspect, or_, select
 from sqlalchemy.exc import MultipleResultsFound
 from sqlalchemy.orm import joinedload
@@ -539,8 +539,9 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
             user_session_model = interface.sql_session_model
             num_sessions = session.query(user_session_model).count()
             if num_sessions > MAX_NUM_DATABASE_USER_SESSIONS:
+                safe_username = escape(user.username)
                 self._cli_safe_flash(
-                    f"The old sessions for user {user.username} have 
<b>NOT</b> been deleted!<br>"
+                    f"The old sessions for user {safe_username} have 
<b>NOT</b> been deleted!<br>"
                     f"You have a lot ({num_sessions}) of user sessions in the 
'SESSIONS' table in "
                     f"your database.<br> "
                     "This indicates that this deployment might have an 
automated API calls that create "
@@ -557,9 +558,10 @@ class 
FabAirflowSecurityManagerOverride(AirflowSecurityManagerV2):
                         session.delete(s)
                 session.commit()
         else:
+            safe_username = escape(user.username)
             self._cli_safe_flash(
                 "Since you are using `securecookie` session backend mechanism, 
we cannot prevent "
-                f"some old sessions for user {user.username} to be reused.<br> 
If you want to make sure "
+                f"some old sessions for user {safe_username} to be reused.<br> 
If you want to make sure "
                 "that the user is logged out from all sessions, you should 
consider using "
                 "`database` session backend mechanism.<br> You can also change 
the 'secret_key` "
                 "webserver configuration for all your webserver instances and 
restart the webserver. "