potiuk opened a new pull request, #69380:
URL: https://github.com/apache/airflow/pull/69380

   The Teradata provider's `tpt_util.py` and `encryption_utils.py` build several
   shell commands (run locally or over SSH) that interpolate file paths 
directly,
   and pass the openssl passphrase on the command line.
   
   This hardens both:
   
   - **Quote interpolated file paths** with `shlex.quote()` in the POSIX shell
     commands (`shred`, the `dd`/`rm` fallback, `chmod`, `which`, and the
     `openssl … -in/-out` paths), so paths containing spaces or shell
     metacharacters are handled correctly and cannot alter the command.
   - **Feed the openssl passphrase on stdin** (`-pass stdin`) for the local
     `generate_encrypted_file_with_openssl` instead of `-pass pass:<…>`, so it 
is
     not exposed in the local host's process list.
   
   Windows command branches and the remote SSH `openssl -pass pass:` path are 
left
   unchanged (POSIX `shlex.quote` does not apply to `cmd.exe`, and moving the
   passphrase off argv over the SSH channel would require reworking the shared
   remote-exec helper — a larger change).
   
   ### Tests
   
   - [x] existing command-string assertions still pass (metacharacter-free paths
     are unchanged by `shlex.quote`)
   - [x] new: `shred` / `chmod` commands quote paths with spaces / 
metacharacters
   - [x] new: the openssl passphrase is fed on stdin and never appears on argv
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.8 (1M context)
   
   Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
   
https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to