Описание
dbt uses a SQLparse version with a high vulnerability
Summary
Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.
Details
Dependency conflict error message:
The conflict is caused by:
The user requested sqlparse==0.5
dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3
Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.
PoC
From Snyk:
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)
Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively
Пакеты
Наименование
dbt-core
pip
Затронутые версииВерсия исправления
>= 1.6.0, < 1.6.13
1.6.13
Наименование
dbt-core
pip
Затронутые версииВерсия исправления
>= 1.7.0, < 1.7.13
1.7.13
7.5 High
CVSS3
Дефекты
CWE-673
7.5 High
CVSS3
Дефекты
CWE-673