Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MAINT DuckDB Version upgrade #567

Open
lesydimitri opened this issue Nov 18, 2024 · 3 comments
Open

MAINT DuckDB Version upgrade #567

lesydimitri opened this issue Nov 18, 2024 · 3 comments
Assignees
@romanlutz

Comments

@lesydimitri
Copy link

Hi!

In my current workflow, I occasionally export PyRIT's results to Excel files. However, when using Python 3.12, my script that converts DuckDB entries to Excel in PyRIT silently crashed.

Upon investigating, I noticed that the project is locked to DuckDB version 0.10.0 in the pyproject.toml file.

Is there a specific reason for using this version? Running my conversion script with DuckDB 1.1.3 no longer crashes Python 3.12 and doesn't appear to affect PyRIT.
@romanlutz
Copy link
Contributor

Interesting! Thanks for raising this. I hadn't noticed that we're pinning this. I'm working through a bunch of issues before our next release, so I can look into upgrading to duckdb>=1.0.0 which is probably the difference between the failures and the working state that you're observing post-v1. I suspect this will require a few changes, though, since upgrades of the major version usually have breaking changes.

@romanlutz romanlutz changed the title DuckDB Version MAINT DuckDB Version upgrade Nov 19, 2024
@romanlutz romanlutz self-assigned this Nov 19, 2024
@romanlutz romanlutz mentioned this issue Dec 16, 2024
Open
@afogel
Copy link

afogel commented Feb 12, 2025
edited
Loading

hi @romanlutz , I was alerted to a high severity security issue with duckdb <1.1.0:

CVE Link: GHSA-w2gf-jxc9-pf2q

Description:
DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using sniff_csv, even with enable_external_access=false. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. There seem to be two vectors to this vulnerability. First, access to files that should otherwise not be allowed. Second, the content from a file can be read (e.g. /etc/hosts, proc/self/environ, etc) even though that doesn't seem to be the intent of the sniff_csv function. A fix for this issue is available in commit c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a and is expected to be part of version 1.1.0.

This vulnerability is introduced by the direct library [email protected], which brings in the issue through its dependencies:
[email protected] -> [email protected] -> [email protected]
[email protected] -> [email protected]

Is fix available? Yes, this issue was fixed in version 1.1.0

Severity: HIGH

@romanlutz
Copy link
Contributor

romanlutz commented Feb 13, 2025
edited
Loading

#712 is addressing this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@romanlutz romanlutz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lesydimitri @afogel @romanlutz