Skip to content

[fix](build) Fix insecure Python dependency pins in doris-compose, dbt-doris, and cost_model#64928

Open
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:fix/python-dependency-pins
Open

[fix](build) Fix insecure Python dependency pins in doris-compose, dbt-doris, and cost_model#64928
arpitjain099 wants to merge 1 commit into
apache:masterfrom
arpitjain099:fix/python-dependency-pins

Conversation

@arpitjain099

Copy link
Copy Markdown
Contributor

What problem does this PR solve?

Issue Number: N/A

Related PR: #63188

Problem Summary:
Three Python requirements files have dependency pins that allow installing versions with known security issues.

docker/runtime/doris-compose/requirements.txt

The requests<=2.31.0 constraint sets an upper bound but no lower bound, so pip can resolve to any version below 2.31.0. Versions before 2.31.0 are affected by CVE-2023-32681 (Proxy-Authorization header leaked on cross-domain redirects). Changed to requests>=2.31.0 to set a secure floor.

extension/dbt-doris/dev-requirements.txt

The mysql-connector-python>=8.0.0,<8.3 lower bound allows versions with known authentication bypass issues. Raised the lower bound to >=8.0.33 which includes the relevant fixes.

tools/cost_model_evaluate/requirements.txt

The mysql_connector_repackaged==0.3.1 package is an unofficial third-party repackage of the MySQL connector whose last PyPI release was in 2014. Replaced with the official mysql-connector-python>=8.0.33,<9 package. The code in sql_executor.py imports mysql.connector which both packages provide, so this is a drop-in replacement.

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
      • Verified that pip install -r docker/runtime/doris-compose/requirements.txt resolves correctly with the new pin.
      • Confirmed sql_executor.py imports mysql.connector (the standard interface), not the repackaged module name.
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason
  • Behavior changed:

    • No.
  • Does this need documentation?

    • No.

- doris-compose/requirements.txt: requests<=2.31.0 allows pip to
  install versions below 2.31.0 which are affected by CVE-2023-32681
  (Proxy-Authorization header leak on redirects). Changed to >=2.31.0.

- dbt-doris/dev-requirements.txt: mysql-connector-python lower bound
  of 8.0.0 allows versions with known auth bypass issues. Raised to
  >=8.0.33.

- cost_model_evaluate/requirements.txt: replaced mysql_connector_repackaged
  (abandoned third-party repackage, last released 2014) with the
  official mysql-connector-python package. The code imports
  mysql.connector which both packages provide.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants