potiuk opened a new pull request, #67500:
URL: https://github.com/apache/airflow/pull/67500
`action_logging` passes the raw `logical_date` query parameter into
`logger.exception("... %s", value)` via Python's standard logging module on
parse failure. On deployments configured with a non-JSON (plain-text) log
formatter, an attacker could supply a value containing newline characters to
forge fake log entries (CWE-117 log injection).
The path is narrow — only exploitable on non-default plain-text formatters
AND only when the user triggers a parse failure — but the fix is cheap.
Reported as F-018 in the [`apache/tooling-agents` L3 ASVS sweep
`0920c77`](https://github.com/apache/tooling-agents/issues/23).
## Change
Add `_sanitize_for_stdlib_log()` that replaces `\r` and `\n` with spaces,
and apply it before formatting the `logical_date` value into the
`logger.exception` message. The helper is extracted so the guard is testable in
isolation. `logger.exception` stays on the stdlib logger (rather than swapping
to `structlog`) to keep the change minimal and avoid coupling unrelated
behaviour changes into a security fix.
## Test plan
- [x] Parametrised `TestSanitizeForStdlibLog::test_strips_cr_and_lf` covers
`\n`, `\r`, `\r\n`, multi-line, empty, and the no-op case.
- [x] `prek run ruff` clean.
- [x] `prek run mypy-airflow-core` clean.
- [x] 6 tests pass.
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Code (Opus 4.7)
Generated-by: Claude Code (Opus 4.7) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
