Headline
GHSA-p72q-h37j-3hq7: dbt uses a SQLparse version with a high vulnerability
Summary
Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.
Details
Dependency conflict error message:
The conflict is caused by:
The user requested sqlparse==0.5
dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3
Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.
PoC
From Snyk:
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)
Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively
Summary
Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.
Details
Dependency conflict error message:
The conflict is caused by: The user requested sqlparse==0.5 dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3
Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.
PoC
From Snyk:
import sqlparse sqlparse.parse('[' * 10000 + ']' * 10000)
Impact
Snyk classifies it as high 7.5/10.
Patches
The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.
Mitigations
Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively
References
- GHSA-p72q-h37j-3hq7
- https://security.snyk.io/vuln/SNYK-PYTHON-SQLPARSE-6615674
- GHSA-2m57-hf25-phgg