eladkal opened a new pull request, #64180: URL: https://github.com/apache/airflow/pull/64180
**Note: The Google BidManager API operator was added in https://github.com/apache/airflow/pull/62521 and is not yet released thus there is no security risk** The operator only blocked `file://` URLs from the Bid Manager API response, leaving it open to SSRF via http, ftp, or arbitrary https hosts. Replaced the blocklist with an allowlist that only permits `https://storage.googleapis.com` and `https://storage.cloud.google.com`. Updated tests to cover both allowed GCS domains and several SSRF vectors. --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Kiro (Claude Opus 4.6) Generated-by: Kiro (Claude Opus 4.6) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
