ephraimbuddy commented on code in PR #52876:
URL: https://github.com/apache/airflow/pull/52876#discussion_r2239018366
##########
airflow-core/src/airflow/dag_processing/bundles/manager.py:
##########
@@ -81,6 +83,54 @@ def _add_example_dag_bundle(config_list):
)
+def _is_safe_bundle_url(url: str) -> bool:
+ """
+ Check if a bundle URL is safe to use.
+
+ This function validates that the URL:
+ - Uses HTTP or HTTPS schemes (no JavaScript, data, or other schemes)
+ - Is properly formatted
+ - Doesn't contain malicious content
+ """
+ from urllib.parse import urlparse
+
+ if not url:
+ return False
+
+ try:
+ parsed = urlparse(url)
+ if parsed.scheme not in {"http", "https"}:
+ return False
+
+ if not parsed.netloc:
+ return False
+
+ if ";" in url:
+ return False
Review Comment:
I was thinking it could lead to path manipulation attack. WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
