0x0OZ opened a new pull request, #63161: URL: https://github.com/apache/airflow/pull/63161
## Description Currently, if a Connection's extra field contains an unstructured string (e.g., a raw Bearer token), the redact_extra validator in ConnectionResponse catches the JSONDecodeError and returns the plaintext payload. This fails open, exposing legacy or misconfigured secrets via the REST API to any user with can_read on Connections. ## Fix Modified the exception handler to fail closed. If the extra payload cannot be parsed as JSON for targeted redaction, the entire string is now masked with the standard "***" sentinel. ## Testing Added parametrized test test_get_should_redact_non_json_extra to validate blanket redaction across raw tokens, query strings, and plaintext formats. ##### Was generative AI tooling used to co-author this PR? - [X] Yes Tool: Claude Code -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
