[v3-2-test] Check sensitive key names before applying recursion-depth cutoff in secrets masker (#65912)#66748
Draft
github-actions[bot] wants to merge 1 commit into
Draft
[v3-2-test] Check sensitive key names before applying recursion-depth cutoff in secrets masker (#65912)#66748github-actions[bot] wants to merge 1 commit into
github-actions[bot] wants to merge 1 commit into
Conversation
… cutoff in secrets masker (#65912) `SecretsMasker._redact` short-circuited on `depth > max_depth` before checking whether the current key name was sensitive (`should_hide_value_for_key(name)`). For sensitive keys nested beyond the recursion depth (default 5), the original value was returned unchanged instead of being replaced with `***`. Move the depth cutoff inside the `try:` block, after the sensitive-key check, and let dict traversal continue past the cutoff so deeper sensitive keys are still caught. Non-dict containers and the string-pattern masker keep the depth-bounded behavior the cutoff was added for. JSON-loaded payloads cannot be self-referential, and any in-memory cycle hits Python's own recursion limit and falls through the existing exception handler to "<redaction-failed>", which preserves the fail-closed property. (cherry picked from commit 354391b) Co-authored-by: Jarek Potiuk <jarek@potiuk.com> Generated-by: Claude Opus 4.7 (1M context) following the guidelines at https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SecretsMasker._redactshort-circuited ondepth > max_depthbeforechecking whether the current key name was sensitive
(
should_hide_value_for_key(name)). For sensitive keys nested beyondthe recursion depth (default 5), the original value was returned
unchanged instead of being replaced with
***.Move the depth cutoff inside the
try:block, after thesensitive-key check, and let dict traversal continue past the cutoff
so deeper sensitive keys are still caught. Non-dict containers and
the string-pattern masker keep the depth-bounded behavior the cutoff
was added for. JSON-loaded payloads cannot be self-referential, and
any in-memory cycle hits Python's own recursion limit and falls
through the existing exception handler to "",
which preserves the fail-closed property.
(cherry picked from commit 354391b)
Co-authored-by: Jarek Potiuk jarek@potiuk.com
Generated-by: Claude Opus 4.7 (1M context) following the guidelines at
https: //github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions