pierrejeambrun opened a new pull request, #67185:
URL: https://github.com/apache/airflow/pull/67185
Apply the same fail-closed pattern as #66504 to the newly added
`requires_access_event_log` in #67112.
The dependency reads `event_log_id` from `request.path_params` and parses it
with `int()`. On `ValueError`, the original code silently fell through to
`event_log_id = None`, which collapses the per-DAG `AUDIT_LOG` scoping back to
the generic check — the exact bypass `requires_access_event_log` was introduced
to close.
Raise `HTTPException(400)` on the parse failure before any authz decision,
mirroring the non-string `dag_id` rejection added to `requires_access_backfill`
in #66504. This is unreachable through the current `GET
/eventLogs/{event_log_id}` route (FastAPI's `event_log_id: int` annotation
already returns 422 for non-integers before the dependency runs), but defends
future routes that might read the path param as a raw string.
Tests cover `"abc"`, `"1.5"`, `"1,2"`, and `""` — each must return 400 and
must not consult `requires_access_dag` or the DB.
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4.7)
Generated-by: Claude Code (Opus 4.7) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
