-
Notifications
You must be signed in to change notification settings - Fork 17.4k
Add partition_key and partition_key_pattern filters for asset events #64610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
02b4b83
7f86185
3677209
54a42fa
0ee34eb
8ff1f1e
81464ec
39811e0
89e26ad
e837b15
586c210
be74e9c
f0b6405
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,6 +17,7 @@ | |
|
|
||
| from __future__ import annotations | ||
|
|
||
| import re | ||
| from abc import ABC, abstractmethod | ||
| from collections.abc import Callable, Iterable, Sequence | ||
| from datetime import datetime | ||
|
|
@@ -516,6 +517,61 @@ def depends_search( | |
| return depends_search | ||
|
|
||
|
|
||
| class _RegexParam(BaseParam[str]): | ||
| """ | ||
| Filter using database-level regex matching (regexp_match). | ||
|
|
||
| The pattern is handed to the database's own regex engine (via SQLAlchemy's | ||
| ``regexp_match``), so this filter is gated behind the ``[api] regexp_query_timeout`` | ||
| setting to contain the ReDoS attack surface: it cannot be instantiated with a value | ||
| unless a positive timeout is configured (which both enables the feature and bounds it). | ||
| """ | ||
|
|
||
| def __init__(self, attribute: ColumnElement, value: str | None = None, skip_none: bool = True) -> None: | ||
| super().__init__(value=value, skip_none=skip_none) | ||
| self.attribute: ColumnElement = attribute | ||
| if value is not None and conf.getint("api", "regexp_query_timeout") <= 0: | ||
| raise HTTPException( | ||
| status_code=status.HTTP_400_BAD_REQUEST, | ||
| detail="Regexp query filters are disabled. " | ||
| "Set [api] regexp_query_timeout to a positive number of seconds to enable them.", | ||
| ) | ||
|
|
||
| def to_orm(self, select: Select) -> Select: | ||
| if self.value is None and self.skip_none: | ||
| return select | ||
| return select.where(self.attribute.regexp_match(self.value)) | ||
|
|
||
|
hussein-awala marked this conversation as resolved.
|
||
| @classmethod | ||
| def depends(cls, *args: Any, **kwargs: Any) -> Self: | ||
| raise NotImplementedError("Use regex_param_factory instead, depends is not implemented.") | ||
|
|
||
|
|
||
| _DEFAULT_REGEX_DESCRIPTION = "Filter results by matching this regular expression against the field value." | ||
|
|
||
|
|
||
| def regex_param_factory( | ||
| attribute: ColumnElement, | ||
| pattern_name: str, | ||
| skip_none: bool = True, | ||
| description: str = _DEFAULT_REGEX_DESCRIPTION, | ||
| ) -> Callable[[str | None], _RegexParam]: | ||
| def depends_regex( | ||
| value: str | None = Query(alias=pattern_name, default=None, description=description), | ||
| ) -> _RegexParam: | ||
| if value is not None: | ||
| try: | ||
| re.compile(value) | ||
| except re.error as e: | ||
| raise HTTPException( | ||
| status_code=status.HTTP_400_BAD_REQUEST, | ||
| detail=f"Invalid regular expression: {e}", | ||
| ) | ||
| return _RegexParam(attribute, value, skip_none) | ||
|
|
||
| return depends_regex | ||
|
hussein-awala marked this conversation as resolved.
|
||
|
|
||
|
|
||
| def prefix_search_param_factory( | ||
| attribute: ColumnElement, | ||
| prefix_pattern_name: str, | ||
|
|
@@ -1639,6 +1695,13 @@ def _transform_ti_states(states: list[str] | None) -> list[TaskInstanceState | N | |
| QueryAssetAliasNamePrefixPatternSearch = Annotated[ | ||
| _PrefixSearchParam, Depends(prefix_search_param_factory(AssetAliasModel.name, "name_prefix_pattern")) | ||
| ] | ||
| QueryAssetEventPartitionKeyFilter = Annotated[ | ||
| FilterParam[str | None], | ||
| Depends(filter_param_factory(AssetEvent.partition_key, str | None, filter_name="partition_key")), | ||
| ] | ||
| QueryAssetEventPartitionKeyRegex = Annotated[ | ||
| _RegexParam, Depends(regex_param_factory(AssetEvent.partition_key, "partition_key_regexp_pattern")) | ||
| ] | ||
|
Comment on lines
+1698
to
+1704
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The thing I wanted to prevent by moving the timeout inside the regex_param_factory or the filter class directly, is because if someone add a filter in here using the factory, and forget to call the So I was trying to be defensive for a future bug.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe in That doesn't cover 'all cases' someone could still use a bare _RegexpParam without using the And maybe something in the |
||
| QueryAssetDagIdPatternSearch = Annotated[ | ||
| _DagIdAssetReferenceFilter, Depends(_DagIdAssetReferenceFilter.depends) | ||
| ] | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1635,6 +1635,30 @@ api: | |
| type: boolean | ||
| example: ~ | ||
| default: "True" | ||
| regexp_query_timeout: | ||
| description: | | ||
| Timeout, in seconds, for regular-expression based query filters in the API. This single | ||
| value both enables the feature and bounds its runtime: a value of ``0`` (the default) | ||
| disables regexp filtering entirely, and any positive value enables it while capping how | ||
| long such a query may run. | ||
|
|
||
| When enabled, it allows additional filtering features that require database-side regexp | ||
| matching, such as the ``partition_key_regexp_pattern`` filter on ``GET /assets/events`` | ||
| and on the Execution API asset-event endpoints. It is disabled by default for security | ||
| reasons: a user-supplied regular expression is passed to the database's own regex engine, | ||
| which is a Regular expression Denial of Service (ReDoS) vector: a crafted pattern can | ||
| force the engine into pathological backtracking and consume database backend CPU. | ||
|
|
||
| The timeout is the primary runtime mitigation for that risk: on PostgreSQL it is enforced | ||
| as a transaction-local ``statement_timeout`` so a pathological pattern is aborted instead | ||
| of pinning a database backend (PostgreSQL has no built-in regex step limit, unlike MySQL's | ||
| ``regexp_time_limit``). Keep it as low as your legitimate queries allow. Coupling the | ||
| on/off switch with the timeout intentionally makes it impossible to enable regexp | ||
| filtering without a runtime bound in place. | ||
| version_added: 3.4.0 | ||
| type: integer | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Float maybe? To allow 0.5 etc? |
||
| example: ~ | ||
| default: "0" | ||
| secret_key: | ||
| description: | | ||
| Secret key used to run your api server. It should be as random as possible. However, when running | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can do a direct link to the config via
Something like this exists