saifxyzyz commented on code in PR #59998:
URL: https://github.com/apache/airflow/pull/59998#discussion_r2656552908
##########
airflow-core/src/airflow/api_fastapi/core_api/services/public/config.py:
##########
@@ -16,29 +16,32 @@
# under the License.
from __future__ import annotations
-from fastapi import HTTPException, status
+from fastapi import HTTPException, status, Request
from fastapi.responses import Response
from airflow.api_fastapi.common.types import Mimetype
from airflow.api_fastapi.core_api.datamodels.config import Config
from airflow.configuration import conf
-def _check_expose_config() -> bool:
- display_sensitive: bool | None = None
+def _check_expose_config(request: Request | None = None) -> bool:
if conf.get("api", "expose_config").lower() == "non-sensitive-only":
expose_config = True
- display_sensitive = False
else:
expose_config = conf.getboolean("api", "expose_config")
- display_sensitive = True
if not expose_config:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="Your Airflow administrator chose not to expose the
configuration, most likely for security reasons.",
)
- return display_sensitive
+ if request:
+ user_agent = request.headers.get("user-agent", "")
+ if "apache-airflow-ctl/" in user_agent:
+ return False
+ if conf.get("api", "expose_config").lower() == "non-sensitive-only":
+ return False
+ return True
Review Comment:
Yes it would be very easy to spoof, I have made the requested changes
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
