Lucene search

GitHub Advisory DatabaseGHSA-P72Q-H37J-3HQ7

HistoryApr 22, 2024 - 10:17 p.m.

dbt uses a SQLparse version with a high vulnerability

2024-04-2222:17:59

CWE-673

GitHub Advisory Database

github.com

dbt-core

poc

dependency conflict

snyk

sqlparse vulnerability

patched

vulnerability

mitigations

high impact

7.1 High

AI Score

Confidence

High

JSON

Summary

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

Details

Dependency conflict error message:

The conflict is caused by:
    The user requested sqlparse==0.5
    dbt-core 1.7.10 depends on sqlparse&lt;0.5 and &gt;=0.2.3

Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.

PoC

From Snyk:

import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

Impact

Snyk classifies it as high 7.5/10.

Patches

The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.

Mitigations

Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

Affected configurations

Vulners

Node

dbtcoreRange<1.7.13

dbtcoreRange<1.6.13

CPENameOperatorVersion
dbt-corelt1.7.13
dbt-corelt1.6.13

CPE	Name	Operator	Version
	dbt-core	lt	1.7.13
	dbt-core	lt	1.6.13

References

github.com/advisories/GHSA-p72q-h37j-3hq7

github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg

github.com/dbt-labs/dbt-core/security/advisories/GHSA-p72q-h37j-3hq7

security.snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674

7.1 High

AI Score

Confidence

High

JSON