Skip to content

Redact secrets in rendered templates properly when truncating it #59566

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amoghrajesh merged 4 commits into from
Dec 22, 2025
Merged

Redact secrets in rendered templates properly when truncating it #59566

amoghrajesh merged 4 commits into from
Dec 22, 2025
+119 −5

Conversation

@amoghrajesh
Copy link
Contributor

@amoghrajesh amoghrajesh commented Dec 17, 2025

Problem & Solution

When rendered template fields in a dag exceed the max_templated_field_length (default is 4096 characters), data could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields while sending to API server used a secret masker instance without patterns registered via mask_secret() calls (ie, it used core secrets masker but patterns were registered against sdk secrets masker). This was a ripple effect of moving secrets masker onto the shared library: #54449

The fix is to create a local _serialize_template_field() function in task_runner that uses the SDK secrets masker, which contains patterns registered via mask_secret() calls in user dag code. This ensures secrets are properly masked before truncation occurs.

This fix is anyways in line with our 3.2 goal of client server separation by getting rid of the serialize_template_field import from airflow core in task sdk.

Testing

Defined a macro via a plugin like this:

from airflow.plugins_manager import AirflowPlugin
from airflow.sdk.log import mask_secret


def mask_str(var: str):
    """
    Takes a string and masks it.
    Returns the same string for templating.
    """
    mask_secret(var)
    return var


class TruncMacrosPlugin(AirflowPlugin):
    name = "trunc_macro"
    macros = [mask_str]

DAG:

import json
from datetime import datetime

from airflow.providers.standard.operators.bash import BashOperator
from airflow.sdk import DAG

with DAG('trunc_dag', start_date=datetime(2024, 1, 1), schedule=None) as dag:
    env = {}
    secret = "postgresql+psycopg2://username:testpass123@host/db"
    for i in range(70):
        env[f"URL_{i}"] = f"{{{{ macros.trunc_macro.mask_str('{secret}') }}}}"

    print("len of env is", len(json.dumps(env, indent=4)))

    task = BashOperator(
        task_id="example",
        bash_command="echo done",
        env=env,
    )

Before:

image

After:

image

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@amoghrajesh amoghrajesh self-assigned this Dec 17, 2025
Lee-W
Lee-W reviewed Dec 19, 2025
View reviewed changes
@amoghrajesh amoghrajesh requested a review from Lee-W December 19, 2025 11:12
@amoghrajesh amoghrajesh added this to the Airflow 3.1.6 milestone Dec 22, 2025
@amoghrajesh amoghrajesh merged commit 8defa75 into apache:main Dec 22, 2025
96 checks passed
@amoghrajesh amoghrajesh deleted the max-len-truncation-bug branch December 22, 2025 07:02
@amoghrajesh
Copy link
Contributor Author

amoghrajesh commented Dec 22, 2025

Ah forgot to add the backport label!

amoghrajesh added a commit that referenced this pull request Dec 22, 2025
@amoghrajesh
[v3-1-test] Redact secrets in rendered templates properly when trunca…
22df107 
…ting it (#59566)

(cherry picked from commit 8defa75)

Co-authored-by: Amogh Desai <amoghrajesh1999@gmail.com>
@amoghrajesh
Copy link
Contributor Author

amoghrajesh commented Dec 22, 2025

CP here: #59704

amoghrajesh added a commit that referenced this pull request Dec 23, 2025
@amoghrajesh
[v3-1-test] Redact secrets in rendered templates properly when trunca…
7d86df2 
…ting it (#59566) (#59704)

(cherry picked from commit 8defa75)
Subham-KRLX pushed a commit to Subham-KRLX/airflow that referenced this pull request Jan 2, 2026
@amoghrajesh @Subham-KRLX
Redact secrets in rendered templates properly when truncating it (apa…
4827ace 
…che#59566)
ephraimbuddy pushed a commit that referenced this pull request Jan 6, 2026
@amoghrajesh @ephraimbuddy
[v3-1-test] Redact secrets in rendered templates properly when trunca…
280815b 
…ting it (#59566) (#59704)

(cherry picked from commit 8defa75)
stegololz pushed a commit to stegololz/airflow that referenced this pull request Jan 9, 2026
@amoghrajesh @stegololz
Redact secrets in rendered templates properly when truncating it (apa…
363fe68 
…che#59566)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@uranusjr uranusjr uranusjr approved these changes

@ashb ashb Awaiting requested review from ashb ashb is a code owner

@kaxil kaxil Awaiting requested review from kaxil kaxil is a code owner

@potiuk potiuk Awaiting requested review from potiuk

@Lee-W Lee-W Awaiting requested review from Lee-W

Assignees

@amoghrajesh amoghrajesh

Labels

area:task-sdk

Projects

None yet

Milestone

Airflow 3.1.6

Development

Successfully merging this pull request may close these issues.

3 participants

@amoghrajesh @uranusjr @Lee-W