gopidesupavan commented on code in PR #68129:
URL: https://github.com/apache/airflow/pull/68129#discussion_r3367150888
##########
task-sdk/src/airflow/sdk/api/client.py:
##########
@@ -987,7 +988,7 @@ def __init__(self, client: Client):
def get(self, dag_id: str) -> DagResponse:
"""Get a DAG via the API server."""
- resp = self.client.get(f"dags/{dag_id}")
+ resp = self.client.get(f"dags/{quote(dag_id, safe='')}")
Review Comment:
agree Server-side hardening would be good, but this fix is still needed at
the SDK URL construction boundary. With a raw `dag_id`, the client can build
`dags/x/../../variables/secret_key`, and path normalization may route it as
`/variables/secret_key` before the `/dags/{dag_id}` handler ever runs. Encoding
here ensures the Task SDK sends the Dag ID as one path segment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
