Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE in orjson < 3.9.15 and orjson pinned to <=3.9.10 in dlt #1009

Open
b-per opened this issue Feb 27, 2024 · 1 comment · May be fixed by #1501
Open

CVE in orjson < 3.9.15 and orjson pinned to <=3.9.10 in dlt #1009

b-per opened this issue Feb 27, 2024 · 1 comment · May be fixed by #1501
Assignees
@steinitzu

Comments

@b-per
Copy link
Contributor

b-per commented Feb 27, 2024

dlt version

0.4.4

Describe the problem

"orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents" (dependabot link)

But dlt 0.4.4 pins orjson to "<=3.9.10" so we can't upgrade orjson to the fix

Expected behavior

dlt doesn't pinorjson to "<=3.9.10" and we can update orjson to the new version with the fix

Steps to reproduce

N/A

Operating system

macOS

Runtime environment

Local

Python version

3.11

dlt data source

No response

dlt destination

No response

Other deployment details

No response

Additional information

No response
@sh-rp sh-rp self-assigned this Feb 27, 2024
@rudolfix
Copy link
Collaborator

rudolfix commented Feb 27, 2024
edited
Loading

@b-per we limit the version because there's a buffer overrun bug introduced to orjson that makes bigger loads to segfault. and it is probably exploitable.
the CVE looks like more DDOS, stack overflow should not be easily exploitable so we probably keep it until they really fix the above.
The PR log does not look promising (already 3 PRs that failed to fix the bug:

we can go back to simplejson which is still available:
https://dlthub.com/docs/reference/performance#use-built-in-json-parser
just uninstall orjson for that to happen

@Gilbert09 Gilbert09 mentioned this issue Apr 2, 2024
Merged
@burnash burnash assigned steinitzu and unassigned sh-rp Jun 19, 2024
@steinitzu steinitzu linked a pull request Jun 20, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steinitzu steinitzu

Labels
None yet
Projects
dlt core library
Status: Todo
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Extend orjson dependency allowed range with excluded versions dlt-hub/dlt
4 participants
@steinitzu @sh-rp @b-per @rudolfix