Make "placeholder" of ODBC configurable in UI #36000
Conversation
desc: Modify the odbc connection to add default placeholder when creating a connection in the UI by specifying it in the extra options.
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contribution Guide (https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst)
|
| @@ -144,7 +144,7 @@ class DbApiHook(BaseHook): | |||
| # Override with db-specific query to check connection | |||
| _test_connection_sql = "select 1" | |||
| # Override with the db-specific value used for placeholders | |||
| placeholder: str = "%s" | |||
| _placeholder: str = "%s" | |||
There was a problem hiding this comment.
This could be moved to __init__ since it's no longer a class attribute.
There was a problem hiding this comment.
We should only allow fixed set of placeholders - not a "Free placeholder" = only alow "%s" or "?" - nothing else.
The problem with such an input provided by the user who can configure a connection from the UI, that by allowing "ANY" values, it opens up the doors to all kind of vulnerabilities - similar to SQL INJECTION.
So we should always sanitize any input passed down from the user when such conection is defined via UI.
While we cannot prevent existing cases and some kinds of "inherent" vulnerabilities in some connection types, adding a gateway to such "user input" (even if we do not know if it can be exploited) is dangerous.
In this case I think "?" and "%s" are the only "reasonable" values placeholder can take and we should validate if user value is exactly one of those..
Maybe there are others that we might find and add, but adding a possibility of using ANY placeholder provided by the user here is too dangerous IMHO.
Makes sense! We can achieve this easily by adding a list of whitelisted placeholders in each provider, and checking if the provided placeholder exists in this list. |
Yes. Easy to implement and safer. |
robbydb88
force-pushed
the
fix/generic_transfer_operator_modify_placeholder
branch
2 times, most recently
from
18f21cc
to
fa5b034
Compare
|
We implemented the change by adding the fixed set of default values to the ODBC provider. The other providers already used a "standard" placeholder. This first example can be used for other providers should it be necessary in the future |
|
Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions. |
Parametrize the "placeholder" variable in the ODBC hook, making it configurable from the connection defined in the UI.
For some databases, the placeholder is not the standard "%s" as defined earlier.
By making it configurable in the connection properties, users can easily pick the placeholder of their specific database.
This makes the generic_transfer operator more flexible.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.