Comments (6)
Yes please @dbeatty10 - I've done my own assessment (https://tempered.works/posts/2024/06/02/handling-cve-2019-8341-for-dbt-and-mkdocs/) but always helpful to get an all-clear and probably useful for others who might be getting pinged by safety as of Saturday!
from dbt-core.
We took an initial look internally, and:
- dbt-core does indeed run Jinja2 sandboxed
- Here in
get_template
is where we load the template usingfrom_string
, after callingget_environment
.
We believe the environment we're loading there should always be a subclass of jinja2.sandbox.SandboxedEnvironment
, but we're going to double-check with one of our engineers.
from dbt-core.
Yes, we always subclass from SandboxedEnvironment.
from dbt-core.
Thank you @gshank 👍
@brabster I'm going to close this as resolved, but just let us know if you have any outstanding concerns and we can take another look.
from dbt-core.
Thanks for reaching out about this @brabster !
Sounds like you'd just like us to take a look and confirm that dbt-core is not affected by CVE-2019-8341?
Specifically:
- Confirm that dbt-core runs Jinja2 sandboxed
- If not, confirm that dbt-core does not use
from_string
from dbt-core.
Quoting https://bugzilla.redhat.com/show_bug.cgi?id=1677653#c4
"I'm one of the maintainers of the Pallets projects, including Jinja.
This CVE is a bad joke. It's like claiming eval() in the Python stdlib is insecure because it executes code.
Jinja templates should never be loaded from untrusted sources.
So nothing should be done here, there is literally nothing to be fixed."
from dbt-core.
Related Issues (20)
- Write partitioned data from microbatch incremental builds by partition segment HOT 1
- [Feature] Add precision and scale option for data type constraints
- [Bug] run_query() Macro Returns Unreadable Results and Requires Reinstallation and Query Renaming to Function Properly HOT 1
- [Bug] grants does not ignore models that are execluded by --exclude HOT 2
- [Bug] "at" operator does not take into account relationships data tests HOT 4
- [Feature] Raise an error for unit tests that don't contain all filtering columns HOT 1
- [Bug] Macro and `{{ this }}` variable in post hook sql statement of seeds `properties.yml` don't work properly HOT 3
- [Bug] Tests for models in installed packages are triggered for models with the same name in the current package HOT 2
- [Bug] Dependency name is too long / file not found HOT 2
- accepted_values doesn't work properly when some of the values has the <'> (single quote) special character HOT 5
- [Feature] Create a flexible delete+insert incremental strategy without relying on primary/unique keys
- [Feature] Exclude unit tests from running when using "dbt test" command HOT 1
- [Tech Debt] Bump protoc to v27 or v28
- [Tech debt] Add automation to auto-generate core_types_pb2.py on branches
- [Feature] No Metadata check supported for SQL input type under Unit Test HOT 1
- [Feature] Allow setting of a `lookback` as top level model property HOT 1
- [Bug] Lineage Graph Ignore Sources Declared From `graph.sources.values()` HOT 5
- [Bug] unit test use source name for cte name and source identifier for table name HOT 3
- [Bug] SQL compilation error when running `--empty` flag on pre-hook containing macro HOT 3
- [Bug] Unit tests not working for incremental models HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dbt-core.