potiuk opened a new pull request, #62429: URL: https://github.com/apache/airflow/pull/62429
Potential fix for [https://github.com/apache/airflow/security/code-scanning/564](https://github.com/apache/airflow/security/code-scanning/564) General fix approach: Ensure that any user-controlled data incorporated into a redirect URL cannot alter the destination and is safely encoded. Here, we keep the same redirect behaviour (still redirecting either to Keycloak’s `end_session_endpoint` with query parameters or to the local `logout_callback`) but make sure the `id_token` value is safely URL-encoded before inserting it into `logout_url`. Best concrete fix without changing functionality: - Import `quote` from `urllib.parse`. - Before constructing `logout_url`, URL-encode `id_token` with `quote(safe="")` so that any special characters are percent-encoded and cannot interfere with the query structure. - Use this encoded value in the f-string building `logout_url`. Specific changes in `providers/keycloak/src/airflow/providers/keycloak/auth_manager/routes/login.py`: 1. Add `from urllib.parse import quote` alongside the existing imports near the top of the file. 2. In `logout`, after retrieving `id_token = request.cookies.get(COOKIE_NAME_ID_TOKEN)`, if `id_token` is present, transform it with `id_token = quote(id_token, safe="")` before interpolating it into `logout_url`. No new methods or complex logic are needed; just the import and encoding step. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
