fix: redact non-JSON connection extra to prevent credential leakage

[0x0OZ]

Description

Currently, if a Connection's extra field contains an unstructured string (e.g., a raw Bearer token), the redact_extra validator in ConnectionResponse catches the JSONDecodeError and returns the plaintext payload. This fails open, exposing legacy or misconfigured secrets via the REST API to any user with can_read on Connections.

Fix

Modified the exception handler to fail closed. If the extra payload cannot be parsed as JSON for targeted redaction, the entire string is now masked with the standard "***" sentinel.

Testing

Added parametrized test test_get_should_redact_non_json_extra to validate blanket redaction across raw tokens, query strings, and plaintext formats.

Was generative AI tooling used to co-author this PR?

-- Resolving #63160

• Yes
  Tool: Claude Code

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[SameerMesiah97]

1-2 nits. It's fine otherwise. This will mask non-sensitive extras but I believe that is better than potentially leaking secrets.

Let's wait for CI to run as well.

[choo121600]

@0x0OZ This PR has been converted to draft because it does not yet meet our Pull Request quality criteria.

Issues found:

• ❌ Pre-commit / static checks: Failing: CI image checks / Static checks. Run prek run --from-ref main locally to find and fix issues. See Pre-commit / static checks docs.
• ❌ mypy (type checking): Failing: CI image checks / MyPy checks (mypy-airflow-core). Run prek --stage manual mypy-airflow-core --all-files locally to reproduce. You need breeze ci-image build --python 3.10 for Docker-based mypy. See mypy (type checking) docs.
• ❌ Provider tests: Failing: Postgres tests: providers / DB-prov:Postgres:14:3.10:-amazon,celer...standard, MySQL tests: providers / DB-prov:MySQL:8.0:3.10:-amazon,celer...standard, Sqlite tests: providers / DB-prov:Sqlite:3.10:-amazon,celer...standard, Non-DB tests: providers / Non-DB-prov::3.10:-amazon,celer...standard, Special tests / Min SQLAlchemy test: providers / DB-prov:MinSQLAlchemy-Postgres:14:3.10:-amazon,celer...standard (+6 more). Run provider tests with breeze run pytest <provider-test-path> -xvs. See Provider tests docs.
• ❌ Other failing CI checks: Failing: CI image checks / Test Python API client, Postgres tests: core / DB-core:Postgres:14:3.10:API...Serialization, MySQL tests: core / DB-core:MySQL:8.0:3.10:API...Serialization, Sqlite tests: core / DB-core:Sqlite:3.10:API...Serialization, Non-DB tests: core / Non-DB-core::3.10:API...Serialization (+8 more). Run prek run --from-ref main locally to reproduce. See static checks docs.

Note: Your branch is 118 commits behind main. Some check failures may be caused by changes in the base branch rather than by your PR. Please rebase your branch and push again to get up-to-date CI results.

What to do next:

• The comment informs you what you need to do.
• Fix each issue, then mark the PR as "Ready for review" in the GitHub UI - but only after making sure that all the issues are fixed.
• Maintainers will then proceed with a normal review.

Converting a PR to draft is not a rejection — it is an invitation to bring the PR up to the project's standards so that maintainer review time is spent productively. If you have questions, feel free to ask on the Airflow Slack.

[0x0OZ]

There was no conflict, yay!

I hope now the tests will pass

[0x0OZ]

Maybe I should not have dared to push into something I am not familiar with

[pierrejeambrun]

I don't think always redacting is a good approach.

Also the 'extra' field should always be a 'valid json', if we check at the Connection._validate_extra in the database, we will never persist a connection with a non valid json as 'extra'.

So basically this should never happen. Do you happen to have a use case where the API returns extra in plain text when the extra isn't a valid json ?

Maybe we should instead raise a ValidationError there, explicitely saying that this is not expected and that we should never encounter this code path.

[0x0OZ]

I don't think always redacting is a good approach.

Also the 'extra' field should always be a 'valid json', if we check at the Connection._validate_extra in the database, we will never persist a connection with a non valid json as 'extra'.

So basically this should never happen. Do you happen to have a use case where the API returns extra in plain text when the extra isn't a valid json ?

Maybe we should instead raise a ValidationError there, explicitely saying that this is not expected and that we should never encounter this code path.

I don't have a real usecase in hand for why someone would use non-valid JSON data in the extra...
But your conclusion is better than my theoretical assumptions about it

[pierrejeambrun]

Maybe something like this #63883.

Lets see what the CI says and we can close this one I believe.