ephraimbuddy commented on code in PR #52876:
URL: https://github.com/apache/airflow/pull/52876#discussion_r2239279230
##########
airflow-core/src/airflow/dag_processing/bundles/manager.py:
##########
@@ -81,6 +83,54 @@ def _add_example_dag_bundle(config_list):
)
+def _is_safe_bundle_url(url: str) -> bool:
+ """
+ Check if a bundle URL is safe to use.
+
+ This function validates that the URL:
+ - Uses HTTP or HTTPS schemes (no JavaScript, data, or other schemes)
+ - Is properly formatted
+ - Doesn't contain malicious content
+ """
+ from urllib.parse import urlparse
+
+ if not url:
+ return False
+
+ try:
+ parsed = urlparse(url)
+ if parsed.scheme not in {"http", "https"}:
+ return False
+
+ if not parsed.netloc:
+ return False
+
+ if ";" in url:
+ return False
Review Comment:
Got it. Take a look again on the PR, only now checks if it's http/https and
if it has a control character
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
