klesh opened a new issue, #8970:
URL: https://github.com/apache/devlake/issues/8970

   # Title: Deprecate and Remove the `dbt` Plugin from Backend Components
   
   ## Description
   Following an internal review of the project's attack surface and current 
deployment guidelines (per our Authentication and Security Model 
Documentation), we are identifying legacy or high-risk components that do not 
align with baseline security hardening expectations. 
   
   Specifically, the architecture of the `dbt` plugin relies on handling 
external user-supplied configurations (such as repository targets and execution 
parameters) and passing them to external command-line interfaces (`git` and 
`dbt`). While the system is explicitly designed for trusted, single-operator 
deployments, this design exposes the server to unexpected Server-Side Request 
Forgery (SSRF) and external CLI argument manipulation. 
   
   Rather than maintaining complex input-filtering rules and input validation 
for a changing command-line surface area, we are opting to completely deprecate 
and remove the `dbt` plugin from the backend codebase.
   
   ## Scope of Work
   * **Remove Plugin Package:** Delete the `dbt` plugin source code and task 
registrations from the backend plugin engine.
   * **Clean Task Definitions:** Strip out any references to `DbtOptions` or 
related structs across pipeline and blueprint configurations.
   * **Database Schema Cleanup:** Provide a migration script to safely clean up 
or migrate legacy configuration tables associated with the plugin.
   * **UI/Documentation Updates:** Remove options for configuring `dbt` tasks 
from the `config-ui` interface and remove corresponding guides from user 
manuals.
   
   ## Acceptance Criteria
   * The backend builds successfully without compiling or referencing the `dbt` 
package.
   * Any existing blueprints referencing `dbt` components fail safely or skip 
the step with a proper deprecation notice.
   * No regressions are introduced to other core backend plugins or connection 
management APIs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to