orbisai0security opened a new pull request, #66417: URL: https://github.com/apache/airflow/pull/66417
## Summary Fix critical severity security issue in `providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py`. ## Vulnerability | Field | Value | |-------|-------| | **ID** | V-001 | | **Severity** | CRITICAL | | **Scanner** | multi_agent_ai | | **Rule** | `V-001` | | **File** | `providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py:2421` | **Description**: The LDAP authentication handler in the Flask-AppBuilder security manager constructs LDAP filter strings using Python f-string interpolation, directly embedding the user-supplied username value without any escaping or sanitization. An attacker can supply a crafted username such as 'admin)(|(uid=*' to break out of the intended filter structure and craft an arbitrary LDAP query. This can result in authentication bypass, granting access as any LDAP user including administrators, or enumeration of all directory entries. ## Changes - `providers/fab/src/airflow/providers/fab/auth_manager/security_manager/override.py` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
