Connection passwords visible in UI

[LukePaytec]

Apache Airflow version

3.0.3

If "Other Airflow 2 version" selected, which one?

No response

What happened?

In airflow 3.0.2 the AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS is set to True and you are not allowed to see passwords, secrets ect, as they are hidden with ***. However when updating to airflow 3.0.3 the connections are accessible through the UI.

What you think should happen instead?

I would keep the passwords hashed and hidden from the UI. Seen in this image it should be like:

and not like this where someone can go grab it

How to reproduce

Make sure that you have airflow 3.0.2 installed and go make a connection. You will see the passwords are not filtered and show raw on the frontend UI.

Operating System

We tried on linux x64 and on arm64

Versions of Apache Airflow Providers

apache-airflow-providers-amazon==9.9.0
apache-airflow-providers-celery==3.12.1
apache-airflow-providers-cncf-kubernetes==10.6.1
apache-airflow-providers-common-compat==1.7.2
apache-airflow-providers-common-io==1.6.1
apache-airflow-providers-common-messaging==1.0.4
apache-airflow-providers-common-sql==1.27.3
apache-airflow-providers-docker==4.4.1
apache-airflow-providers-elasticsearch==6.3.1
apache-airflow-providers-fab==2.3.0
apache-airflow-providers-ftp==3.13.1
apache-airflow-providers-git==0.0.4
apache-airflow-providers-google==16.1.0
apache-airflow-providers-grpc==3.8.1
apache-airflow-providers-hashicorp==4.3.1
apache-airflow-providers-http==5.3.2
apache-airflow-providers-microsoft-azure==12.5.0
apache-airflow-providers-mysql==6.3.2
apache-airflow-providers-odbc==4.10.1
apache-airflow-providers-openlineage==2.5.0
apache-airflow-providers-postgres==6.2.1
apache-airflow-providers-redis==4.1.1
apache-airflow-providers-sendgrid==4.1.2
apache-airflow-providers-sftp==5.3.2
apache-airflow-providers-slack==9.1.2
apache-airflow-providers-smtp==2.1.1
apache-airflow-providers-snowflake==6.5.0
apache-airflow-providers-ssh==4.1.1
apache-airflow-providers-standard==1.4.1

Deployment

Official Apache Airflow Helm Chart

Deployment details

Using k8s we deployed using the helm chart on the arm64 machine and used argo to deploy on the linux machine.

Anything else?

This bug happens every time and I suspect its not a big issue which can be resolved for next release.

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.

[jroachgolf84]

Make sure that you have airflow 3.0.2 installed and go make a connection. You will see the passwords are not filtered and show raw on the frontend UI.

Just to validate, this is for Airflow 3.0.2, or 3.0.3?

[vikramkoka]

cc: @vatsrahul1001

[vatsrahul1001]

Verified this is a new bug introduced in 3.0.3. This works fine with 3.0.2
cc: @pierrejeambrun

[pierrejeambrun]

This change seems to be deliberate, introduced in #52403 and I really do not understand the motivation there. That seems plain wrong but I might be missing some context. (Basically you can query the API and retrieve sensitive fields unmasked with that, which completely defeat the purpose of AIRFLOW__CORE__HIDE_SENSITIVE_VAR_CONN_FIELDS)

[ashb]

@pierrejeambrun Agreed, That change needs reverting and 3.0.4 released immediately. The UI should be updated to not try to send the password then the form is submitted.