Lucene search
GoogleOSV:GHSA-P72Q-H37J-3HQ7HistoryApr 22, 2024 - 10:17 p.m.
dbt uses a SQLparse version with a high vulnerability
2024-04-2222:17:59
Google
osv.dev
12
vulnerable sqlparse
dbt-core
dependency conflict
high vulnerability
mitigation
7.1 High
AI Score
Confidence
High
Summary
Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.
Details
Dependency conflict error message:
The conflict is caused by:
The user requested sqlparse==0.5
dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3
Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.
PoC
From Snyk:
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)
Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively
7.1 High
AI Score
Confidence
High