sakethsomaraju commented on issue #68065: URL: https://github.com/apache/airflow/issues/68065#issuecomment-4710039104
Hi @pierrejeambrun , I'd like to provide some additional context before this is fully closed. The issue is not reproducible locally on Airflow 3 latest version as well. So the fix on `main` does appear to work when Airflow is accessed directly within local environment. However the problem resurfaces in any deployment that sits behind a reverse proxy or ingress, which is essentially every real production setup. When the variable key has a leading `/`, the PATCH request URL ends up with a double slash (e.g. `/api/v2/variables//foo`). Most proxies normalize consecutive slashes by design and this is actually intentional behavior on their part, not a misconfiguration. Double slashes in URL paths are considered a security risk and no proxy should reasonably be expected to preserve them. So while Airflow itself may handle the encoded path correctly, the request never reaches Airflow intact in a proxied environment. Given that, I think the root fix belongs at the variable key validation layer. Airflow currently allows keys with a leading `/` to be created via POST or the UI, but those keys can never be reliably managed via the REST API in any proxied deployment. That's a broken CRUD lifecycle for a valid user-created resource. The cleanest solution would be to either reject variable keys with a leading `/` at creation time with a clear validation error, or move the variable key out of the URL path segment and into a query parameter or request body for PATCH/DELETE operations. Let me know your thoughts on it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
