Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CT-1753] [Bug] Allow using agate 1.7.1 due to serious vulnerability in future #6530

Closed
2 tasks done
piankris opened this issue Jan 5, 2023 · 4 comments
Closed
2 tasks done

[CT-1753] [Bug] Allow using agate 1.7.1 due to serious vulnerability in future #6530

piankris opened this issue Jan 5, 2023 · 4 comments
Labels
bug Something isn't working dependencies Changes to the version of dbt dependencies security support_rotation A good task to pick up during support rotation

Comments

@piankris
Copy link

piankris commented Jan 5, 2023
edited
Loading

Is this a new bug in dbt-core?

  • I believe this is a new bug in dbt-core
  • I have searched the existing issues, and I could not find an existing issue for this bug

Current Behavior

It has been recently found that the future package has a serious vulnerability and can lead to a denial of service (see details here https://nvd.nist.gov/vuln/detail/CVE-2022-40899). The current version of dbt-core is indirectly depended on it. The current version of dbt-core specifies the dependency on the agate package to be constrained: "agate>=1.6,<1.7.1" but agate <1.7.1 depended on the version parsedatetime that in its turn depended on future. The future repository has been dead since 2019 (latest release) and parsedatetime dropped the dependency on it: https://github.com/bear/parsedatetime/releases/tag/v2.5. agate reacted to that and also updated its version to 1.7.1 to use the latest version of parsedatetime without the future dependency: wireservice/agate@52198da.

Please, update your dependency on agate to allow version 1.7.1 and by doing so get rid of the dependency on future.

Expected Behavior

The dependency on agate is updated to allow version 1.7.1.

Steps To Reproduce

.

Relevant log output

No response

Environment

- OS:
- Python:
- dbt:

Which database adapter are you using with dbt?

No response

Additional Context

No response
@piankris piankris added bug Something isn't working triage labels Jan 5, 2023
@github-actions github-actions bot changed the title [Bug] Allow using agate 1.7.1 due to serious vulnerability in future [CT-1753] [Bug] Allow using agate 1.7.1 due to serious vulnerability in future Jan 5, 2023
@jtcohen6 jtcohen6 added dependencies Changes to the version of dbt dependencies security and removed triage labels Jan 5, 2023
@jtcohen6
Copy link
Contributor

jtcohen6 commented Jan 5, 2023

@piankris Thanks for flagging this. It looks like we have an automated PR already open to bump the upper bound: #6522

By merging to main, we would be set up to include that in the next minor version release v1.4. We should take a look at the vulnerability to understand if we should also backport this version bump to older releases (v1.0-1.3), and put out new patch releases accordingly.

(We have the upper bound in place because, historically, new patch releases of agate have resulted in unexpected breaking changes for dbt-core users.)

@jtcohen6 jtcohen6 linked a pull request Jan 5, 2023 that will close this issue
Update agate requirement from <1.7.1,>=1.6 to >=1.6,<1.7.2 in /core #6522
Closed
@jtcohen6
Copy link
Contributor

jtcohen6 commented Jan 5, 2023
edited
Loading

@colin-rogers-dbt makes a fair point: we should just change this to a fixed version pin (==) for clarity. agate doesn't update often, and the two recent patches were just for Python version compatibility + this security vulnerability.

Potentially worth revisiting ripping out agate entirely (#3413).

Plan: Let's merge this PR as is, backport it if the vulnerability warrants it, and then consider a new PR to pin (==) agate going forward.

@jtcohen6 jtcohen6 added the support_rotation A good task to pick up during support rotation label Jan 5, 2023
@jtcohen6
Copy link
Contributor

We've updated to supporting newer patch releases of agate:

dbt-core/core/setup.py

Line 52 in 9836f7b

"agate~=1.7.0",

That will be included in v1.6

@skupr-anaconda
Copy link

@jtcohen6 You can safely bump the upper bound of agate to <1.7.2 because version 1.7.1 has a minimum of changes wireservice/agate@1.7.0...1.7.1 but it fixes parsedatetimes pinning

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependencies Changes to the version of dbt dependencies security support_rotation A good task to pick up during support rotation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update agate requirement from <1.7.1,>=1.6 to >=1.6,<1.7.2 in /core dbt-labs/dbt-core
3 participants
@jtcohen6 @skupr-anaconda @piankris