Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets Masker also applies masking to fields not in scope #48105

Open
1 task done
jscheffl opened this issue Mar 22, 2025 · 6 comments
Open
1 task done

Secrets Masker also applies masking to fields not in scope #48105

jscheffl opened this issue Mar 22, 2025 · 6 comments
Assignees
@amarlearning
Labels
affected_version:3.0.0beta For all 3.0.0 beta releases area:API Airflow's REST/HTTP API area:secrets area:UI Related to UI/UX. For Frontend Developers. kind:bug This is a clearly a bug kind:meta High-level information important to the community priority:medium Bug that should be fixed before next release but would not block a release

Comments

@jscheffl
Copy link
Contributor

Body

I tested the connections form and when using the edit (as PR in #48102) I saw that values are masked on the public API.
I created a connection type "generic with name "a" with login="a" and password="a" as well as {"key": "value"} as extra. When opening the connection the public REST was masking the "a" of "value" as below:
Image

I assume it does not make sense to mask data in extra fields or description of connection. This generates errors and side effects unexpected.

Committer

  • I acknowledge that I am a maintainer/committer of the Apache Airflow project.
@jscheffl jscheffl added area:API Airflow's REST/HTTP API area:UI Related to UI/UX. For Frontend Developers. kind:bug This is a clearly a bug kind:meta High-level information important to the community labels Mar 22, 2025
@dosubot dosubot bot added the area:secrets label Mar 22, 2025
@amarlearning
Copy link
Contributor

I would like to work on this issue. This would be my first contribution to Apache Airflow. I have read the contribution guidelines and have my development environment set up.

@vatsrahul1001 vatsrahul1001 added affected_version:3.0.0beta For all 3.0.0 beta releases priority:medium Bug that should be fixed before next release but would not block a release labels Mar 24, 2025
@amarlearning amarlearning mentioned this issue Mar 24, 2025
Closed
@potiuk
Copy link
Member

potiuk commented Mar 31, 2025

I think it makes sense to only register secret values if they are longer than - say - 5 characters. Any shorter secret makes no sense really.

@potiuk
Copy link
Member

potiuk commented Mar 31, 2025

But we have to have some warnings in the logs about it (without logging the secret of course).

@jscheffl
Copy link
Contributor Author

I think it makes sense to only register secret values if they are longer than - say - 5 characters. Any shorter secret makes no sense really.

When examples and default connection are deployed then I usually also fail because "one" of the example connections also uses "airflow" as a password - leading to the fail that logs contain masked folders like /opt/****/conf/... as the term "airflow" then is masked :-D

@potiuk
Copy link
Member

potiuk commented Mar 31, 2025

I think it makes sense to only register secret values if they are longer than - say - 5 characters. Any shorter secret makes no sense really.

When examples and default connection are deployed then I usually also fail because "one" of the example connections also uses "airflow" as a password - leading to the fail that logs contain masked folders like /opt/****/conf/... as the term "airflow" then is masked :-D

We could explicitly exclude "airflow" from being masked.

@amarlearning
Copy link
Contributor

amarlearning commented Mar 31, 2025
edited
Loading

Here’s the plan

  1. Implement a minimum length requirement (5+ characters) for secrets masking
    • Only add patterns to the masking set if the secret length is ≥ 5 characters
    • Add a warning log when a short secret is encountered but not masked
  2. Explicitly exclude common terms from masking

cc @potiuk @jscheffl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amarlearning amarlearning

Labels
affected_version:3.0.0beta For all 3.0.0 beta releases area:API Airflow's REST/HTTP API area:secrets area:UI Related to UI/UX. For Frontend Developers. kind:bug This is a clearly a bug kind:meta High-level information important to the community priority:medium Bug that should be fixed before next release but would not block a release
Projects
AIP-38: Modern Web Application
Status: To Scope
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #48105: Add word boundaries to prevent over-masking in SecretsMasker amarlearning/airflow
4 participants
@potiuk @amarlearning @vatsrahul1001 @jscheffl