Headline
CVE-2023-22884: Move local_infile option from extra to hook parameter by potiuk · Pull Request #28811 · apache/airflow
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider.This issue affects Apache Airflow: before 2.5.1; Apache Airflow MySQL Provider: before 4.0.0.
Conversation
This change is to move local_infile parameter from connection extra to Hook. Since this feature is only used for very specific cases, it belongs to the “action” it executes not to the connection defined in general. For example in Hive and Vertica transfers, the capability of local_inline is simply exnabled by bulk_load parameter - and it allows to use the same connection in both cases.
potiuk deleted the remove-local-infile-in-mysql branch
Jan 11, 2023
hussein-awala pushed a commit to hussein-awala/airflow that referenced this pull request
Jan 12, 2023
This change is to move local_infile parameter from connection extra to Hook. Since this feature is only used for very specific cases, it belongs to the “action” it executes not to the connection defined in general. For example in Hive and Vertica transfers, the capability of local_inline is simply exnabled by bulk_load parameter - and it allows to use the same connection in both cases.
Soonmok pushed a commit to Soonmok/airflow that referenced this pull request
Jan 17, 2023
This change is to move local_infile parameter from connection extra to Hook. Since this feature is only used for very specific cases, it belongs to the “action” it executes not to the connection defined in general. For example in Hive and Vertica transfers, the capability of local_inline is simply exnabled by bulk_load parameter - and it allows to use the same connection in both cases.
MrGeorgeOwl pushed a commit to lwyszomi/airflow that referenced this pull request
Jan 18, 2023
This change is to move local_infile parameter from connection extra to Hook. Since this feature is only used for very specific cases, it belongs to the “action” it executes not to the connection defined in general. For example in Hive and Vertica transfers, the capability of local_inline is simply exnabled by bulk_load parameter - and it allows to use the same connection in both cases.