Re: [PR] Fix: Making sure sensitive data is always masked in airflowctl [airflow]

Thu, 01 Jan 2026 09:43:56 -0800 


jscheffl commented on code in PR #59998:
URL: https://github.com/apache/airflow/pull/59998#discussion_r2656514416


##########
airflow-core/src/airflow/api_fastapi/core_api/services/public/config.py:
##########
@@ -16,29 +16,32 @@
 # under the License.
 from __future__ import annotations
 
-from fastapi import HTTPException, status
+from fastapi import HTTPException, status, Request
 from fastapi.responses import Response
 
 from airflow.api_fastapi.common.types import Mimetype
 from airflow.api_fastapi.core_api.datamodels.config import Config
 from airflow.configuration import conf
 
 
-def _check_expose_config() -> bool:
-    display_sensitive: bool | None = None
+def _check_expose_config(request: Request | None = None) -> bool:
     if conf.get("api", "expose_config").lower() == "non-sensitive-only":
         expose_config = True
-        display_sensitive = False
     else:
         expose_config = conf.getboolean("api", "expose_config")
-        display_sensitive = True
 
     if not expose_config:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Your Airflow administrator chose not to expose the 
configuration, most likely for security reasons.",
         )
-    return display_sensitive
+    if request:
+        user_agent = request.headers.get("user-agent", "")
+        if "apache-airflow-ctl/" in user_agent:
+            return False
+    if conf.get("api", "expose_config").lower() == "non-sensitive-only":
+        return False
+    return True

Review Comment:
   Unfortunately this can not be done. This is not adding security. It is very 
easy to spoof the user agent header in the browser or client, would be bad to 
use this to gain access.
   
   Feedback: Sensitive data shoul dnot be displayed, I assume the main and 
important change is the config.yml below, if there are other entries missing 
they need to be added there.
   
   From point of understanding the signature of the function 
`_check_expose_config()` is misleading, maybe it should be renamed to 
`_check_expose_sensitive_config()`. It should return a bool if the sensitive 
data can be exposed or raise an exception if config is not to be exposed at all.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to