Skip to content

Validate deferred trigger classpath resolves to a BaseTrigger subclass#69792

Open
hypnguyen1209 wants to merge 1 commit into
apache:mainfrom
hypnguyen1209:harden-triggerer-classpath-validation
Open

Validate deferred trigger classpath resolves to a BaseTrigger subclass#69792
hypnguyen1209 wants to merge 1 commit into
apache:mainfrom
hypnguyen1209:harden-triggerer-classpath-validation

Conversation

@hypnguyen1209

@hypnguyen1209 hypnguyen1209 commented Jul 13, 2026

Copy link
Copy Markdown

The triggerer resolves a trigger from the classpath carried in the deferred-task Execution API payload via import_string(classpath) and then instantiates it with trigger_class(**kwargs). get_trigger_by_classpath did not check that the imported object is actually a BaseTrigger subclass, so any importable callable (e.g. subprocess.check_output) could be loaded and invoked in the long-running triggerer process.

Harden this by rejecting, before caching and before instantiation, any classpath that does not resolve to a type that is a BaseTrigger subclass. Legitimate triggers are unaffected (they are always BaseTrigger subclasses); an invalid classpath now fails the trigger cleanly instead of being instantiated. Adds a unit test covering both the accepted and rejected cases.


Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)

  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst, in airflow-core/newsfragments. You can add this file in a follow-up commit after the PR is created so you know the PR number.

@hypnguyen1209 hypnguyen1209 requested a review from dstandish as a code owner July 13, 2026 02:01
Copilot AI review requested due to automatic review settings July 13, 2026 02:01
@boring-cyborg

boring-cyborg Bot commented Jul 13, 2026

Copy link
Copy Markdown

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example Dag that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the triggerer’s deferred-trigger loading path by validating that a deferred-task classpath resolves to a BaseTrigger subclass before caching/instantiation, preventing arbitrary importable callables from being invoked in the triggerer process.

Changes:

  • Add a BaseTrigger-subclass validation (and clearer docstring) in TriggerRunner.get_trigger_by_classpath.
  • Add a unit test covering both an allowed trigger class and a rejected non-trigger callable.
  • Add a release-note newsfragment describing the security hardening (but the fragment filename needs correction).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
airflow-core/src/airflow/jobs/triggerer_job_runner.py Validates imported objects are BaseTrigger subclasses before caching/instantiation.
airflow-core/tests/unit/jobs/test_triggerer_job.py Adds regression test for accepting a real trigger and rejecting a non-trigger callable classpath.
airflow-core/newsfragments/99999.bugfix.rst Adds release note entry for the hardening (currently named with a placeholder).

Comment thread airflow-core/newsfragments/69792.bugfix.rst
The triggerer resolves a trigger from the ``classpath`` carried in the
deferred-task Execution API payload via ``import_string(classpath)`` and then
instantiates it with ``trigger_class(**kwargs)``. ``get_trigger_by_classpath``
did not check that the imported object is actually a ``BaseTrigger`` subclass,
so any importable callable (e.g. ``subprocess.check_output``) could be loaded
and invoked in the long-running triggerer process.

Harden this by rejecting, before caching and before instantiation, any
``classpath`` that does not resolve to a ``type`` that is a ``BaseTrigger``
subclass. Legitimate triggers are unaffected (they are always ``BaseTrigger``
subclasses); an invalid classpath now fails the trigger cleanly instead of
being instantiated. Adds a unit test covering both the accepted and rejected
cases.
@hypnguyen1209 hypnguyen1209 force-pushed the harden-triggerer-classpath-validation branch from 7794470 to 672b5f1 Compare July 13, 2026 02:07
if classpath not in self.trigger_cache:
self.trigger_cache[classpath] = import_string(classpath)
trigger_class = import_string(classpath)
if not (isinstance(trigger_class, type) and issubclass(trigger_class, BaseTrigger)):

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be pre-import check, unfortunately - by the time we get here the class is already imported, and the whole idea is to avoid even importing it - because just importing it can have side-effects. I am not sure if that one is even reasonably doable - because in order to get class hierarchy you need to import it. Just AST parsing will not solve it.

So I am not sure if that is solving such defense-in-depth is even doable.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be pre-import check, unfortunately - by the time we get here the class is already imported, and the whole idea is to avoid even importing it - because just importing it can have side-effects. I am not sure if that one is even reasonably doable - because in order to get class hierarchy you need to import it. Just AST parsing will not solve it.

So I am not sure if that is solving such defense-in-depth is even doable.

Correct - the issubclass check runs after import_string, so it doesn't stop import-time side effects of an arbitrary module.

To be precise about what it does stop: the reported path is classpath="subprocess.check_output" + trigger_kwargs, where the code executes at trigger_class(**kwargs) (the call) - importing stdlib subprocess is side-effect-free, so the issubclass gate blocks the actual execution. It does not help when the classpath points at a module whose import has side effects (e.g. an attacker-plantable module on sys.path).

A genuinely pre-import defense is doable, just not via issubclass (which needs the class, hence the import). It has to be a string check on the classpath before import_string - a module-namespace allow-list:

module = classpath.rpartition(".")[0]
 if not (module == "airflow" or module.startswith("airflow.") or module in allowed_extra):
     raise TypeError(...)   # before import_string()

That never imports anything outside the trusted namespace (core airflow.* + providers airflow.providers.*), so import-time side effects of untrusted/planted modules are never triggered. The issubclass check can stay after import as defense-in-depth.

The trade-off is custom triggers in user modules (mycompany.triggers.X): those would need a configurable prefix allow-list (similar to [core] allowed_deserialization_classes) to keep working - a behaviour change plus a new config option, which is why I wanted to check the direction before implementing.

@potiuk potiuk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... I think that's not really preventing the side effects it was supposed to prevent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants