GHSA-p72q-h37j-3hq7

Source

https://github.com/advisories/GHSA-p72q-h37j-3hq7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-p72q-h37j-3hq7/GHSA-p72q-h37j-3hq7.json

Published

2024-04-22T22:17:59Z

Modified

2024-04-22T22:33:57.753983Z

Details

Summary

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

Details

Dependency conflict error message:

The conflict is caused by:
    The user requested sqlparse==0.5
    dbt-core 1.7.10 depends on sqlparse&lt;0.5 and >=0.2.3

Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.

PoC

From Snyk:

import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

Impact

Snyk classifies it as high 7.5/10.

Patches

The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.

Mitigations

Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

References

Affected packages

PyPI / dbt-core

Package

Name: dbt-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

1.6.13

Affected versions

1.*

1.6.0

1.6.1rc1

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

PyPI / dbt-core

Package

Name: dbt-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.7.13

Affected versions

1.*

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.7.8

1.7.9

1.7.10

1.7.11

1.7.12