ashb commented on a change in pull request #9143:
URL: https://github.com/apache/airflow/pull/9143#discussion_r435836054
##########
File path: docs/howto/operator/bash.rst
##########
@@ -41,6 +41,37 @@ You can use :ref:`Jinja templates <jinja-templating>` to
parameterize the
:start-after: [START howto_operator_bash_template]
:end-before: [END howto_operator_bash_template]
+
+.. warning::
+
+ Care should be taken with "user" input or when using Jinja templates in the
+ ``bash_command``, as this bash operator does not perform any escaping or
+ sanitization of the command.
+
+ This applies mostly to using "dag_run" conf, as that can be submitted via
+ users in the Web UI. Most of the default template variables are not at
+ risk.
+
+For example, do **not** do this:
+
+.. code-block:: python
+
+ bash_task = BashOperator(
+ task_id="bash_task",
+ bash_command='echo "Here is the message: \'{{ dag_run.conf["message"]
if dag_run else "" }}\'"',
+ )
+
+Instead, you should pass this via the ``env`` kwarg and use double-quotes
+inside the bash_command, as below:
+
+.. code-block:: python
+
+ bash_task = BashOperator(
+ task_id="bash_task",
+ bash_command='echo "here is the message: \'$message\'"',
Review comment:
Running it locally, the problem does appear to be around `\`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
