Passwords leakeds in task details

[raffOps]

In BashOperator's "instance details" tab the env attribute is showing sensitive information. This information is Airflow Variables acquired from the secret backend. Their names are in the AIRFLOW__CORE__SENSITIVE_VAR_CONN_NAMES setting, but they still appear unmasked

Using Airflow 2.4.1

[ephraimbuddy]

This is not how to report security issues. Report it in confidence through this security policy https://github.com/apache/airflow/security/policy.

MAKE SURE TO DELETE THE ABOVE

[potiuk]

Indeed, it's not a responsible disclosure and you shoudl not do it @rjribeiro .

Luckily it's not security vulnerability this time - just your misunderstanding of "variables" - https://airflow.apache.org/docs/apache-airflow/stable/configurations-ref.html#config-core-hide-sensitive-var-conn-fields is for Airflow Variabls not for env variables in a random operator.

But if you want to add this as a feature @rjribeiro - you can create a feature or (even better) open a PR for that . I think it's a good idea to include some operator's environment variables to be masked in the UI. It's not necessarily a good protection, because the variables can be seen in many different ways (depending on whether you use K8S executor or CeleryExecutor or Local Executor, environment variables passed to a task (and there is nothing Airflow can do about it) - so it is quite inherently insecure.