github-actions[bot] opened a new pull request, #67096: URL: https://github.com/apache/airflow/pull/67096
* Tighten deserialization allowlist regex to use full-string match The ``allowed_deserialization_classes_regexp`` allowlist used ``re.match()``, which only anchors at the start of the string. A pattern like ``airflow\.models\.Variable`` therefore also admitted classnames such as ``airflow.models.Variable_Malicious``. Switch to ``re.fullmatch()`` so the admin's pattern matches the entire classname; document the semantics in the config description so operators know to use ``.*`` for prefix-style allowances. * Add newsfragment for #66499 --------- (cherry picked from commit 80f1ab4d5a0f8b83873ce31f32b89d341f667b6f) Co-authored-by: Jarek Potiuk <[email protected]> Co-authored-by: Rahul Vats <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
