superset 4.0.1 uses sqlparse 0.4.4 with two high CVE findings => update to 0.5.0

[nigzak]

Bug description

superset uses a sqlparse version which has to high CVE findings GHSA-2m57-hf25-phgg CVE-2024-4340

update to 0.5.0 (or newer) should be made

How to reproduce the bug

download 4.0.1 image from dockerhub scan image

Screenshots/recordings

No response

Superset version

4.0.1

Python version

3.9

Node version

16

Browser

Chrome

Additional context

No response

Checklist

• [X] I have searched Superset docs and Slack and didn't find a solution to my problem.
• [X] I have searched the GitHub issue tracker and didn't find a similar bug report.
• [X] I have checked Superset's logs for errors and if I found a relevant Python stacktrace, I included it here as text in the "additional context" section.

[dosubot[bot]]

To address the vulnerabilities GHSA-2m57-hf25-phgg and CVE-2024-4340 in sqlparse version 0.4.4 used by Superset version 4.0.1, you can update sqlparse to version 0.5.0 or newer. Here are the steps to update the dependency and ensure your Superset installation is secure:

Steps to Update sqlparse Dependency

1. Update requirements.txt or setup.py:

   • If you are using requirements.txt, update the file to specify the new version of sqlparse:

     sqlparse>=0.5.0
     

   • If you are using setup.py, update the install_requires section:

     install_requires=[
         'sqlparse>=0.5.0',
         # other dependencies
     ]
     

2. Reinstall Dependencies:

   • After updating the version, reinstall the dependencies to ensure that the new version of sqlparse is used:

     pip install -r requirements.txt
     # or if using setup.py
     pip install .
     

3. Verify the Update:

   • Ensure that the correct version of sqlparse is installed by running:

     pip show sqlparse
     

   • The output should show Version: 0.5.0 or newer.

Running Tests to Ensure Compatibility

To ensure that all functionalities work correctly after updating the dependency, you should run the full test suite. Here is how you can do it:

1. Using GitHub Actions Workflow:

   • The Superset repository includes GitHub Actions workflows that run tests on different environments. You can trigger these workflows by pushing your changes to a branch or creating a pull request.

2. Using Utility Script:

   • Alternatively, you can use the utility script provided in the scripts/tests/ directory to run tests locally. Here are some examples:
     • Run all tests:

       scripts/tests/run.sh
       

     • Run a single test module:

       scripts/tests/run.sh --module tests/charts/api_tests.py
       

Known Issues and Workarounds

There is a known issue related to sqlparse version 0.5.0 or newer, documented as a workaround in the Superset codebase:

# TODO: Workaround for https://github.com/andialbrecht/sqlparse/issues/652.
# configure the Lexer to extend sqlparse
# reference: https://sqlparse.readthedocs.io/en/stable/extending/
lex = Lexer.get_default_instance()
sqlparser_sql_regex = keywords.SQL_REGEX
sqlparser_sql_regex.insert(25, (r"'(''|\\\\|\\|[^'])*'", sqlparse.tokens.String.Single))
lex.set_SQL_REGEX(sqlparser_sql_regex)

This workaround is implemented to address a bug in sqlparse.

By following these steps, you can update sqlparse to version 0.5.0 or newer in Superset version 4.0.1, addressing the specified vulnerabilities. Ensure to run the full test suite to verify that all functionalities work correctly after the update.

Details

Sources

• superset/sql_parse.py
• requirements/base.txt
• pyproject.toml
• tests/unit_tests/sql_parse_tests.py
• .github/workflows/superset-cli.yml
• scripts/tests/README.md
• .github/workflows/superset-python-presto-hive.yml
• .github/workflows/superset-python-integrationtest.yml
• .github/SECURITY.md
• .github/workflows/dependency-review.yml

About Dosu This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

To continue the conversation, mention @dosu.

[dpgaspar]

Thank you for posting this issue. sqlparse was bumped to 0.5.0 on https://github.com/apache/superset/pull/28144