potiuk opened a new pull request, #69380:
URL: https://github.com/apache/airflow/pull/69380
The Teradata provider's `tpt_util.py` and `encryption_utils.py` build several
shell commands (run locally or over SSH) that interpolate file paths
directly,
and pass the openssl passphrase on the command line.
This hardens both:
- **Quote interpolated file paths** with `shlex.quote()` in the POSIX shell
commands (`shred`, the `dd`/`rm` fallback, `chmod`, `which`, and the
`openssl … -in/-out` paths), so paths containing spaces or shell
metacharacters are handled correctly and cannot alter the command.
- **Feed the openssl passphrase on stdin** (`-pass stdin`) for the local
`generate_encrypted_file_with_openssl` instead of `-pass pass:<…>`, so it
is
not exposed in the local host's process list.
Windows command branches and the remote SSH `openssl -pass pass:` path are
left
unchanged (POSIX `shlex.quote` does not apply to `cmd.exe`, and moving the
passphrase off argv over the SSH channel would require reworking the shared
remote-exec helper — a larger change).
### Tests
- [x] existing command-string assertions still pass (metacharacter-free paths
are unchanged by `shlex.quote`)
- [x] new: `shred` / `chmod` commands quote paths with spaces /
metacharacters
- [x] new: the openssl passphrase is fed on stdin and never appears on argv
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.8 (1M context)
Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]