potiuk opened a new pull request, #66501: URL: https://github.com/apache/airflow/pull/66501
The framework mounts the auth-manager subapp under `/auth` and the FAB plugin shim under `/pluginsv2`, but `RESERVED_URL_PREFIXES` only listed `/api/v2`, `/ui`, and `/execution`. A trusted plugin attempting to mount under either of the missing prefixes was accepted and (because plugin init runs before the auth-manager mount) would shadow the auth routes. Plugins are trusted code per Airflow's security model so this is defense-in-depth, not a vulnerability — but accidental collisions with the auth-manager / Flask-plugins mount points should be caught and logged like the other reserved prefixes. Reported in apache/tooling-agents#23 (ASVS L1 finding F-009). --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Opus 4.7 (1M context) Generated-by: Claude Opus 4.7 (1M context) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
