-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] CVE-2019-8341 advice please #10250
Comments
Thanks for reaching out about this @brabster ! Sounds like you'd just like us to take a look and confirm that dbt-core is not affected by CVE-2019-8341? Specifically:
|
Yes please @dbeatty10 - I've done my own assessment (https://tempered.works/posts/2024/06/02/handling-cve-2019-8341-for-dbt-and-mkdocs/) but always helpful to get an all-clear and probably useful for others who might be getting pinged by safety as of Saturday! |
We took an initial look internally, and:
We believe the environment we're loading there should always be a subclass of |
Yes, we always subclass from SandboxedEnvironment. |
Quoting https://bugzilla.redhat.com/show_bug.cgi?id=1677653#c4 |
Is this a new bug in dbt-core?
Current Behavior
safety reporting a vulnerability in Jinja2 transitive for dbt-core et al.
-> Vulnerability found in jinja2 version 3.1.4
Vulnerability ID: 70612
Affected spec: >=0
ADVISORY: In Jinja2, the from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as
a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer...
CVE-2019-8341
For more information about this vulnerability, visit https://data.safetycli.com/v/70612/97c
To ignore this vulnerability, use PyUp vulnerability id 70612 in safety’s ignore command-line argument or add the ignore to your safety policy
file.
Expected Behavior
No vulnerabilities reported, ideally. There's no fix version available (and might never be) so this is more to have you confirm that dbt-core is not affected by this vuln. I don't think it is as I don't think you use
from_string
and I think you do run Jinja2 sandboxed, but confirmation would be usefulI don't think this is the right template but it's not a new vulnerability either 🤷
Steps To Reproduce
any version of dbt core
install safety
run safety check
Relevant log output
No response
Environment
GitHub action with vulnerability detected this morning https://github.com/brabster/pypi_vulnerabilities/actions/runs/9327416694/job/25677263698#step:3:510
Which database adapter are you using with dbt?
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: