Vulnerability	Vulnerable Version
M Arbitrary Code Execution sqlfluff is a The SQL Linter for Humans Affected versions of this package are vulnerable to Arbitrary Code Execution. In environments where untrusted users have access to the config files (e.g. `.sqlfluff`), there is a potential security vulnerability where those users could use the `library_path` config value to allow arbitrary python code to be executed via macros. Note: For many users who use SQLFluff in the context of an environment where all users already have fairly escalated privileges, this may not be an issue - however in larger user bases, or where SQLFluff is bundled into another tool where developers still wish to give users access to supply their on rule configuration, this may be an issue. How to fix Arbitrary Code Execution? Upgrade `sqlfluff` to version 2.1.2 or higher.	[,2.1.2)

Arbitrary Code Execution

sqlfluff is a The SQL Linter for Humans

Affected versions of this package are vulnerable to Arbitrary Code Execution. In environments where untrusted users have access to the config files (e.g. .sqlfluff), there is a potential security vulnerability where those users could use the library_path config value to allow arbitrary python code to be executed via macros.

Note:

For many users who use SQLFluff in the context of an environment where all users already have fairly escalated privileges, this may not be an issue - however in larger user bases, or where SQLFluff is bundled into another tool where developers still wish to give users access to supply their on rule configuration, this may be an issue.

How to fix Arbitrary Code Execution?

Upgrade sqlfluff to version 2.1.2 or higher.

[,2.1.2)

Go back to all versions of this package