Skip to content

Commit

Permalink
Fix password masking in CLI action_logging (#15143)
Browse files Browse the repository at this point in the history
Currently as long as argument '-p' if present, code tries to mask it.

However, '-p' may mean something else (not password), like a boolean flag. Such cases may result in exception
  • Loading branch information
XD-DENG authored Apr 1, 2021
1 parent 6822665 commit 486b764
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 9 deletions.
20 changes: 11 additions & 9 deletions airflow/utils/cli.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,17 +113,19 @@ def _build_metrics(func_name, namespace):
"""
from airflow.models import Log

sub_commands_to_check = {'users', 'connections'}
sensitive_fields = {'-p', '--password', '--conn-password'}
full_command = list(sys.argv)
for idx, command in enumerate(full_command): # pylint: disable=too-many-nested-blocks
if command in sensitive_fields:
# For cases when password is passed as "--password xyz" (with space between key and value)
full_command[idx + 1] = "*" * 8
else:
# For cases when password is passed as "--password=xyz" (with '=' between key and value)
for sensitive_field in sensitive_fields:
if command.startswith(f'{sensitive_field}='):
full_command[idx] = f'{sensitive_field}={"*" * 8}'
if full_command[1] in sub_commands_to_check: # pylint: disable=too-many-nested-blocks
for idx, command in enumerate(full_command):
if command in sensitive_fields:
# For cases when password is passed as "--password xyz" (with space between key and value)
full_command[idx + 1] = "*" * 8
else:
# For cases when password is passed as "--password=xyz" (with '=' between key and value)
for sensitive_field in sensitive_fields:
if command.startswith(f'{sensitive_field}='):
full_command[idx] = f'{sensitive_field}={"*" * 8}'

metrics = {
'sub_command': func_name,
Expand Down
10 changes: 10 additions & 0 deletions tests/utils/test_cli_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -112,9 +112,19 @@ def test_get_dags(self):
"airflow connections add dsfs --conn-login asd --conn-password test --conn-type google",
"airflow connections add dsfs --conn-login asd --conn-password ******** --conn-type google",
),
(
"airflow scheduler -p",
"airflow scheduler -p",
),
(
"airflow celery flower -p 8888",
"airflow celery flower -p 8888",
),
]
)
def test_cli_create_user_supplied_password_is_masked(self, given_command, expected_masked_command):
# '-p' value which is not password, like 'airflow scheduler -p'
# or 'airflow celery flower -p 8888', should not be masked
args = given_command.split()

expected_command = expected_masked_command.split()
Expand Down

0 comments on commit 486b764

Please sign in to comment.