New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mitigate issue #5923 (Prompt injection -> SQL injection in SQLChain) #6051
Conversation
@boazwasserman is attempting to deploy a commit to the LangChain Team on Vercel. A member of the Team first needs to authorize it. |
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
@boazwasserman @hwchase17 any update on this PR? This is required to resolve a flagged mend vulnerability. |
We ended up resolving this issue in a different way, and Unfortunately, this fact was not picked up by the various vulnerability databases, so we're in the process of following up on that. The full details of our fix are here but TL;DR:
Thanks for your help and for your patience as we polish up our processes for making our security fixes visible to the security tools used in the community. |
Add validation controls to the SQL chain to mitigate SQL injection issues.
Using sqlfluff to perform static analysis:
Some dialects that are supported by langchain are not supported by sqlfluff. It is possible to disallow usage of such dialects as well.
Also fixed the SQL integration tests which were not working as expected
Fixes #5923
BTW, looks like there is a huge diff on poetry.lock which doesn't look OK to me, would appreciate any advice on how to resovle it (I was following the instructions found here https://github.com/hwchase17/langchain/blob/master/.github/CONTRIBUTING.md)
Who can review?
@hwchase17