klesh opened a new issue, #8970: URL: https://github.com/apache/devlake/issues/8970
# Title: Deprecate and Remove the `dbt` Plugin from Backend Components ## Description Following an internal review of the project's attack surface and current deployment guidelines (per our Authentication and Security Model Documentation), we are identifying legacy or high-risk components that do not align with baseline security hardening expectations. Specifically, the architecture of the `dbt` plugin relies on handling external user-supplied configurations (such as repository targets and execution parameters) and passing them to external command-line interfaces (`git` and `dbt`). While the system is explicitly designed for trusted, single-operator deployments, this design exposes the server to unexpected Server-Side Request Forgery (SSRF) and external CLI argument manipulation. Rather than maintaining complex input-filtering rules and input validation for a changing command-line surface area, we are opting to completely deprecate and remove the `dbt` plugin from the backend codebase. ## Scope of Work * **Remove Plugin Package:** Delete the `dbt` plugin source code and task registrations from the backend plugin engine. * **Clean Task Definitions:** Strip out any references to `DbtOptions` or related structs across pipeline and blueprint configurations. * **Database Schema Cleanup:** Provide a migration script to safely clean up or migrate legacy configuration tables associated with the plugin. * **UI/Documentation Updates:** Remove options for configuring `dbt` tasks from the `config-ui` interface and remove corresponding guides from user manuals. ## Acceptance Criteria * The backend builds successfully without compiling or referencing the `dbt` package. * Any existing blueprints referencing `dbt` components fail safely or skip the step with a proper deprecation notice. * No regressions are introduced to other core backend plugins or connection management APIs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
