CVE-2023-36830

Name of the Vulnerable Software and Affected Versions SQLFluff versions prior to 2.1.2

Description In environments where untrusted users have access to the config files, there is a potential security issue where those users could use the library path config value to allow arbitrary python code to be executed via macros. This may not be an issue for users with already escalated privileges, but it could be a problem in larger user bases or where SQLFluff is bundled into another tool. The library path argument can be used to execute arbitrary python code, and an example of how an external URL might be called to reveal internal information is provided.

Recommendations For versions prior to 2.1.2, use the option --library-path none when invoking SQLFluff to disable the library-path option entirely. As a temporary workaround, limit access to or validate configuration files before they are ingested by SQLFluff. For version 2.1.2 and later, no additional action is required as the --library-path option can be used to override any values provided in the config files.