github-actions[bot] opened a new pull request, #69462:
URL: https://github.com/apache/airflow/pull/69462
The XCom create/update payload validator _check_forbidden_xcom_keys
recursively rejects reserved serialization keys (__classname__, __type,
__var, ...) in dict/list values. Its _walk helper descended dicts, lists
and tuples but not str, so a value submitted as a JSON string literal
(e.g. json.dumps({"__classname__": ...})) was stored verbatim and re-parsed
into a dict on a ?deserialize=true read, slipping past the filter.
Extend _walk to json.loads a string value and inspect the decoded dict/list
the same way the read path does. Strings that are not JSON, or that decode
to non-container values, are unchanged and still accepted.
(cherry picked from commit aae7c8f42789965940c0bf0fe9da25299d03521a)
Co-authored-by: Jarek Potiuk <[email protected]>
Generated-by: Claude Opus 4.8 (1M context) following the guidelines at
https:
//github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]