omkhar commented on issue #67957:
URL: https://github.com/apache/airflow/issues/67957#issuecomment-4622582716
I verified the security-hardening fixes in this batch empirically...
installed each provider at the prior release and the RC side-by-side and
exercised the actual changed code paths:
- akeyless 0.2.0rc1 (#67443) : confirmed: jwt extra leaks in cleartext
through Airflow's redaction, jwt_token masks to ***. This is a breaking
change. Existing connections keyed jwt will silently stop authenticating after
upgrade; probably worth a changelog/migration line.
-
- google 22.1.0rc1 : all four confirmed: GCS ../ blob traversal now rejected
(#67509, verified a real out-of-dir write pre-fix), GCS log handler fails
closed instead of truncating history on read errors (#67511), Cloud SQL keyfile
now 0600 instead of 0644 (#67507), Stackdriver no longer leaks SA/IAM details
on read failure (#67513).
- samba 4.12.6rc1 (#67857) : confirmed: GCS→Samba .. / absolute /
sibling-prefix paths all rejected, contained paths still work.
All fixes sound. Only flag is the akeyless breaking change above. +1 from me.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
