kaxil commented on code in PR #62343:
URL: https://github.com/apache/airflow/pull/62343#discussion_r3292563283
##########
airflow-core/src/airflow/api_fastapi/core_api/routes/public/connections.py:
##########
@@ -259,6 +283,94 @@ def test_connection(test_body: ConnectionBody) ->
ConnectionTestResponse:
os.environ.pop(conn_env_var, None)
+@connections_router.post(
+ "/enqueue-test",
+ status_code=status.HTTP_202_ACCEPTED,
+ responses=create_openapi_http_exception_doc(
+ [
+ status.HTTP_403_FORBIDDEN,
+ status.HTTP_409_CONFLICT,
+ status.HTTP_422_UNPROCESSABLE_ENTITY,
+ ]
+ ),
+ dependencies=[Depends(requires_access_connection(method="POST")),
Depends(action_logging())],
+)
+def enqueue_connection_test(
Review Comment:
**Cross-team privilege escalation via enqueue.**
The POST endpoint authorizes against the `team_name` in `test_body`, but the
existing `Connection` row identified by `connection_id` may belong to a
different team. Combined with `commit_on_success=True`, a user with POST rights
on team A can submit a test for a team B `connection_id` with new credentials,
and on a successful test the row gets overwritten with team A payload.
Resolve the team from the row before authz:
```python
actual_team = Connection.get_team_name(test_body.connection_id, session)
requires_access_connection("POST", team_name=actual_team)
```
and reject if `test_body.team_name` is set and doesn t match.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
