The GitHub Actions job "Scheduled verify release calendar" on airflow.git/main has failed. Run started by GitHub user potiuk (triggered by potiuk).
Head commit for run: f141e155b2f93b6007586bbbc4027af3922a4663 / Jarek Potiuk <[email protected]> Require trust sentinel for state.user injection in get_user() (#66562) The `get_user()` auth dependency in `core_api/security.py` accepted any value at `request.state.user` without verification, returning it before JWT signature/expiry/revocation checks. The only legitimate writer (`JWTRefreshMiddleware`) is one of many possible middlewares — any plugin or unrelated middleware that wrote `request.state.user`, accidentally or otherwise, would silently bypass JWT validation. Defense-in-depth: introduce a private module-level sentinel `USER_INJECTED_BY_TRUSTED_MIDDLEWARE` and require it to be set at `request.state.user_authenticated_via` for `get_user()` to honour the cached user. JWTRefreshMiddleware now stamps the marker alongside the user. Without the marker `get_user()` falls through to fresh JWT validation, so a stray `state.user = ...` write no longer skips auth. This does not defend against a *malicious* in-process plugin (which can import the sentinel and set it itself); plugins are trusted code in Airflow's security model. The goal is preventing accidental writes from unrelated middleware silently bypassing auth, which the audit flagged as an undocumented authentication pathway. Tests cover both the marked-honoured path and the unmarked-fall-through path; the JWTRefreshMiddleware test asserts the marker is stamped. Reported by the L3 ASVS sweep at apache/tooling-agents#23 (FINDING-133). Report URL: https://github.com/apache/airflow/actions/runs/25540998705 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
