ashb commented on code in PR #52876:
URL: https://github.com/apache/airflow/pull/52876#discussion_r2185422962
##########
airflow-core/src/airflow/dag_processing/bundles/manager.py:
##########
@@ -81,6 +83,54 @@ def _add_example_dag_bundle(config_list):
)
+def _is_safe_bundle_url(url: str) -> bool:
+ """
+ Check if a bundle URL is safe to use.
+
+ This function validates that the URL:
+ - Uses HTTP or HTTPS schemes (no JavaScript, data, or other schemes)
+ - Is properly formatted
+ - Doesn't contain malicious content
+ """
+ from urllib.parse import urlparse
+
+ if not url:
+ return False
+
+ try:
+ parsed = urlparse(url)
+ if parsed.scheme not in {"http", "https"}:
+ return False
+
+ if not parsed.netloc:
+ return False
+
+ if ";" in url:
+ return False
+ if any(ord(c) < 32 for c in url):
+ return False
+
+ return True
+ except Exception:
+ return False
+
+
+def _sign_bundle_url(url: str, bundle_name: str) -> str:
+ """
+ Sign a bundle URL for integrity verification.
+
+ :param url: The URL to sign
+ :param bundle_name: The name of the bundle (used in the payload)
+ :return: The signed URL token
+ """
+ serializer = URLSafeSerializer(conf.get_mandatory_value("api",
"secret_key"))
Review Comment:
Why not use Fernet?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
