SQLFluff users with access to config file, using `libary_path` may call arbitrary python code
In environments where untrusted users have access to the config files (e.g. .sqlfluff), there is a potential security vulnerability where those users could use the library_path config value to allow arbitrary python code to be executed via macros. Jinja macros are executed within a sandboxed environment but the following example shows how an external url might be called and used to reveal internal information to an external listener: [sqlfluff:templater:jinja] library_path …