[fix](build) Fix insecure Python dependency pins in doris-compose, dbt-doris, and cost_model#64928
Open
arpitjain099 wants to merge 1 commit into
Open
[fix](build) Fix insecure Python dependency pins in doris-compose, dbt-doris, and cost_model#64928arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
- doris-compose/requirements.txt: requests<=2.31.0 allows pip to install versions below 2.31.0 which are affected by CVE-2023-32681 (Proxy-Authorization header leak on redirects). Changed to >=2.31.0. - dbt-doris/dev-requirements.txt: mysql-connector-python lower bound of 8.0.0 allows versions with known auth bypass issues. Raised to >=8.0.33. - cost_model_evaluate/requirements.txt: replaced mysql_connector_repackaged (abandoned third-party repackage, last released 2014) with the official mysql-connector-python package. The code imports mysql.connector which both packages provide. Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Contributor
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
Issue Number: N/A
Related PR: #63188
Problem Summary:
Three Python requirements files have dependency pins that allow installing versions with known security issues.
docker/runtime/doris-compose/requirements.txt
The
requests<=2.31.0constraint sets an upper bound but no lower bound, so pip can resolve to any version below 2.31.0. Versions before 2.31.0 are affected by CVE-2023-32681 (Proxy-Authorization header leaked on cross-domain redirects). Changed torequests>=2.31.0to set a secure floor.extension/dbt-doris/dev-requirements.txt
The
mysql-connector-python>=8.0.0,<8.3lower bound allows versions with known authentication bypass issues. Raised the lower bound to>=8.0.33which includes the relevant fixes.tools/cost_model_evaluate/requirements.txt
The
mysql_connector_repackaged==0.3.1package is an unofficial third-party repackage of the MySQL connector whose last PyPI release was in 2014. Replaced with the officialmysql-connector-python>=8.0.33,<9package. The code insql_executor.pyimportsmysql.connectorwhich both packages provide, so this is a drop-in replacement.Release note
None
Check List (For Author)
Test
pip install -r docker/runtime/doris-compose/requirements.txtresolves correctly with the new pin.sql_executor.pyimportsmysql.connector(the standard interface), not the repackaged module name.Behavior changed:
Does this need documentation?