In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
In environments where untrusted users have access to the config files (e.g. .sqlfluff), there is a potential security vulnerability where those users could use the library_path config value to allow arbitrary python code to be executed via macros. Jinja macros are executed within a sandboxed environment but the following example shows how an external url might be called and used to reveal internal information to an external listener: [sqlfluff:templater:jinja] library_path …