Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency dbt-core to v1.7.15 [security] #486

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

plural-renovate[bot]
Copy link
Contributor

@plural-renovate plural-renovate bot commented Apr 26, 2024

This PR contains the following updates:

Package Update Change
dbt-core patch ==1.7.9 -> ==1.7.15

GitHub Vulnerability Alerts

GHSA-p72q-h37j-3hq7

Summary

Using a version of sqlparse that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends using sqlparse==0.5 but this causes a conflict with dbt. Snyk states the issues is a recursion error: SNYK-PYTHON-SQLPARSE-6615674.

Details

Dependency conflict error message:

The conflict is caused by:
    The user requested sqlparse==0.5
    dbt-core 1.7.10 depends on sqlparse<0.5 and >=0.2.3

Resolution was to pin sqlparse >=0.5.0, <0.6.0 in dbt-core, patched in 1.6.13 and 1.7.13.

PoC

From Snyk:

import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

Impact

Snyk classifies it as high 7.5/10.

Patches

The bug has been fixed in dbt-core v1.6.13 and dbt-core v1.7.13.

Mitigations

Bump dbt-core 1.6 and 1.7 dependencies to 1.6.13 and 1.7.13 respectively

CVE-2024-36105

Summary

Binding to INADDR_ANY (0.0.0.0) or IN6ADDR_ANY (::) exposes an application on all network interfaces, increasing the risk of unauthorized access.

While doing some static analysis and code inspection, I found the following code binding a socket to INADDR_ANY by passing "" as the address. This effectively binds to any network interface on the local system, not just localhost (127.0.0.1).

Details

As stated in the Python docs, a special form for address is accepted instead of a host address: '' represents INADDR_ANY, equivalent to "0.0.0.0". On systems with IPv6, '' represents IN6ADDR_ANY, which is equivalent to "::".

https://github.com/dbt-labs/dbt-core/blob/main/core/dbt/task/docs/serve.py#L23C38-L23C39

The text around this code also imply the intention is to host docs only on localhost.

PoC

To recreate, run the docs ServeTask.run() to stand up the HTTP server. Then run netstat to see what addresses this process is bound.

Impact

A user who serves docs on an unsecured public network, may unknowingly be hosting an unsecured (http) web site for any remote user/system to access on the same network.

Further references:
https://docs.python.org/3/library/socket.html#socket-families
https://docs.securesauce.dev/rules/PY030
https://cwe.mitre.org/data/definitions/1327.html

Patches

The issue has has been mitigated in dbt-core v1.6.15, dbt-core v1.7.15, and dbt-core v1.8.1 by binding to localhost explicitly by default in dbt docs serve (https://github.com/dbt-labs/dbt-core/issues/10209).


Release Notes

dbt-labs/dbt-core (dbt-core)

v1.7.15: dbt-core v1.7.15

Compare Source

dbt-core 1.7.15 - May 22, 2024

Fixes
  • Fix the semicolon semantics for indexes while respecting other bug fix (#​85)
Security
  • Explicitly bind to localhost in docs serve (#​10209)

v1.7.14: dbt-core v1.7.14

Compare Source

dbt-core 1.7.14 - May 02, 2024

Features
  • Move flags from UserConfig in profiles.yml to flags in dbt_project.yml (#​9183)
  • Add require_explicit_package_overrides_for_builtin_materializations to dbt_project.yml flags, which can be used to opt-out of overriding built-in materializations from packages (#​10007)
Fixes
  • remove materialized views from renambeable relation and remove a quote (#​127)
  • Replace usage of Set with List to fix issue with index updates intermittently happening out of order (#​72)
Under the Hood
  • Raise deprecation warning if installed package overrides built-in materialization (#​9971)
  • Remove the final underscore from secret environment variable constants. (#​10052)

v1.7.13: dbt-core v1.7.13

Compare Source

dbt-core 1.7.13 - April 18, 2024

Security
Contributors

v1.7.12: dbt-core v1.7.12

Compare Source

dbt-core 1.7.12 - April 16, 2024

Fixes
  • Fix assorted source freshness edgecases so check is run or actionable information is given (#​9078)
  • Exclude password-like fields for considering reparse (#​9795)

v1.7.11: dbt-core v1.7.11

Compare Source

dbt-core 1.7.11 - March 28, 2024

Fixes
  • Tighten exception handling to avoid worker thread hangs. (#​9583)
  • Add field wrapper to BaseRelation members that were missing it. (#​9681)

v1.7.10: dbt-core v1.7.10

Compare Source

dbt-core 1.7.10 - March 14, 2024

Fixes
  • Do not add duplicate input_measures (#​9360)
  • Fix partial parsing KeyError on deleted schema files (#​8860)
  • Support saved queries in dbt list (#​9532)
Dependencies
  • Restrict protobuf to 4.* versions (#​9566)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@plural-renovate plural-renovate bot enabled auto-merge (squash) April 26, 2024 06:19
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-dbt-core-vulnerability branch from 737216f to 40c2f77 Compare May 1, 2024 05:58
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-dbt-core-vulnerability branch from 40c2f77 to 6a34509 Compare May 28, 2024 14:17
Signed-off-by: plural-renovate[bot]@users.noreply.github.com
@plural-renovate plural-renovate bot force-pushed the renovate/pypi-dbt-core-vulnerability branch from 6a34509 to 878aea4 Compare May 28, 2024 22:04
@plural-renovate plural-renovate bot changed the title chore(deps): update dependency dbt-core to v1.7.13 [security] chore(deps): update dependency dbt-core to v1.7.15 [security] May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants