potiuk commented on issue #54090: URL: https://github.com/apache/airflow/issues/54090#issuecomment-3167142876
> We don't currently, correct, but we could probably very easily detect this via User-Agent header. Or the other option is to create a different UI-only endpoint (we already have other such endpoints) This can be spoofed by an attacker potentially (via injecting javascript etc.). I think the only way to prevent it, is to have completely separate authentication mechanism dedicated to the endpoint that returns the data. How about just dropping export via "airflowctl" ? If we consider it really dangerous, we might onle leave it for direct access via "airflow" command. And that even makes perfect sense because exporting/importing connection is almost like you export/import database and for that you need to have access to the database. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
