This is an automated email from the ASF dual-hosted git repository.
pierrejeambrun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new 09ed27a11d6 Add ConnectionResponse serializer safeguard (#63883)
09ed27a11d6 is described below
commit 09ed27a11d63db6895a73f47bb934daa7588970c
Author: Pierre Jeambrun <[email protected]>
AuthorDate: Mon Mar 23 14:47:49 2026 +0100
Add ConnectionResponse serializer safeguard (#63883)
---
.../src/airflow/api_fastapi/core_api/datamodels/connections.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git
a/airflow-core/src/airflow/api_fastapi/core_api/datamodels/connections.py
b/airflow-core/src/airflow/api_fastapi/core_api/datamodels/connections.py
index f7cb944ebbf..a44edb5b91b 100644
--- a/airflow-core/src/airflow/api_fastapi/core_api/datamodels/connections.py
+++ b/airflow-core/src/airflow/api_fastapi/core_api/datamodels/connections.py
@@ -60,8 +60,13 @@ class ConnectionResponse(BaseModel):
redacted_dict = redact(extra_dict)
return json.dumps(redacted_dict)
except json.JSONDecodeError:
- # we can't redact fields in an unstructured `extra`
- return v
+ # Do not return un-redacted extra because this could cause
sensitive information to be exposed.
+ # This code path should never been hit as
``Connection._validate_extra`` sure that ``extra`` is
+ # always a valid JSON string. We add this safeguard just in case
and to make the coupling
+ # explicit.
+ raise ValueError(
+ "This code path should never happen as persisted Connections
(DB layer) should always enforce `extra` as a JSON string."
+ )
class ConnectionCollectionResponse(BaseModel):
