potiuk commented on PR #54045: URL: https://github.com/apache/airflow/pull/54045#issuecomment-3146281825
> (I'm not sure why it's only flagging it on this PR though, as nothing about that code path has changed in a while.) As explained above - becuase CodeQL re-evaluates and reapplies checks when code changes after the code around has been modifed (it has been with secrets masking) and you previously marked it as false posiitve - that's why it did not report it again until secrets masking has been modified. I think that issue is really dangerous - despite "rarity". This is quite prone to targeted attacks. If **attacker** (for example UI user) finds a way how to crash secrets masker/redacting by injecting - for example - bad parameter, they could potentially inject such bad data and deliberately trigger printing non-redacted redactable information. I'd say we shoul print the error as warning but the item should only be printed in debug mode. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
