potiuk commented on PR #57594: URL: https://github.com/apache/airflow/pull/57594#issuecomment-3476632387
Current model absolutely does not allow any exposure of sensitive data via remote API - indepently on permissions. My proposal that I am going to bring to devlist if thewre will be no opposal in the security thread is to remove that export/import functionality for UI and leave a comment that you need to use local CLI. I think it would be. very wrong to allow any remote access to sensitive data when there were voices how "lame" it is that we do it - previously we were doing exactly this the sensitive data was sent over to UI for those who had "connection write access" so if we allow that, we would be back to square one and we would be invalidating the CVE we just announced, so I would be surprised to see that happening. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
