dagster icon indicating copy to clipboard operation
dagster copied to clipboard

Published 20 hours ago verified publisher icon dagster-io

CVE-2022-34749 through nbconvert

Open nico525 opened this issue 2 years ago • 3 comments

Currently, there is CVE-2022-34749 which is popping up in my trivy check on the image running dagit 1.0.1. This is due to dagit requiring nbconvert which imports an old mistune version: https://github.com/dagster-io/dagster/blob/d8612490271eac50d1fd7d494b6d95727186e8f6/python_modules/dagit/setup.py#L54

Can we make the notebook download endpoint and subsequently the nbconvert requirement an optional/extra requirement?

nico525 avatar Aug 07 '22 16:08 nico525

Ideally nbconvert updates to a newer version of mistune, but until then making nbconvert an extra requirement sounds reasonable to me.

Thoughts @alangenfeld ?

clairelin135 avatar Aug 09 '22 01:08 clairelin135

It could be done. We would need to make sure that the webapp degrades gracefully in its absence and ideally points a user in the right direction if the feature is engaged with without the extra installed.

alangenfeld avatar Aug 09 '22 02:08 alangenfeld

I fully agree with @clairelin135 but it appears the next release of nbconvert which bumps mistune will also be a new major release and therefore might be breaking some of the code logic. If it wasn't critical, I wouldn't be too concerned, but most enterprise pipelines are configured to stop if a critical CVE is found

nico525 avatar Aug 09 '22 20:08 nico525

A separate reason to make nbconvert and extras requirement: the latest major version requires a jinja version that's incompatible with dbt.

https://dagster.slack.com/archives/C01U5LFUZJS/p1660724879367519

sryza avatar Aug 17 '22 15:08 sryza

I will take on this issue

clairelin135 avatar Aug 18 '22 18:08 clairelin135