Skip to content

Hotfix/fix polars code parser vulnerability#355

Merged
Edwardvaneechoud merged 10 commits intomainfrom
hotfix/fix-polars-code-parser-vulnerability
Mar 16, 2026
Merged

Hotfix/fix polars code parser vulnerability#355
Edwardvaneechoud merged 10 commits intomainfrom
hotfix/fix-polars-code-parser-vulnerability

Conversation

@Edwardvaneechoud
Copy link
Copy Markdown
Owner

@Edwardvaneechoud Edwardvaneechoud commented Mar 16, 2026

This pull request introduces significant improvements to the security of the Polars code execution sandbox, enhances documentation clarity, and adds comprehensive tests for the new security features. The most important changes are summarized below.

Security hardening for Polars code execution:

  • The PolarsCodeParser now enforces a strict set of blocked functions (e.g., open, exec, eval, __import__, etc.), blocks all import statements, and restricts access to dunder (double underscore) attributes and strings, preventing common sandbox escape vectors. Additionally, the execution environment's __builtins__ is set to an empty dictionary to block access to all built-in functions unless explicitly allowed. [1] [2]

Expanded security test coverage:

  • A new TestPolarsCodeParserSecurity class is added with extensive tests covering blocked function calls, import statements, dunder access, bypass attempts, and runtime enforcement to ensure the sandbox is robust against known and potential attacks. The tests also verify that allowed operations and Polars functionality continue to work as expected.

Documentation improvements:

  • The user documentation for the catalog and kernel features has been updated for clarity and accuracy. This includes removing references to Unity Catalog, simplifying sidebar tab descriptions, clarifying artifact persistence (removing outdated recovery mode details), and updating I/O function descriptions. Unnecessary or outdated sections on execution cancellation and resource monitoring have been removed for conciseness. [1] [2] [3] [4] [5] [6]

Other code and test maintenance:

  • Minor import adjustments to support the new test structure and maintain code clarity.

claude and others added 8 commits March 15, 2026 18:23
@claude
fix: add pandas and sqlalchemy as production dependencies for databas…
00b294d 
…e writes

Polars write_database() with the sqlalchemy engine requires pandas at runtime.
Both pandas and sqlalchemy were previously dev-only dependencies, causing
database_writer nodes to fail in Docker where only main deps are installed.

https://claude.ai/code/session_013oAgzvWawNqytnCiPxUQPH
@Edwardvaneechoud
Merge branch 'main' into claude/fix-docker-pandas-dependency-4kSfy
990defb
@claude
fix: add psycopg2-binary as production dependency for PostgreSQL writes
5944247 
SQLAlchemy requires a DBAPI driver (psycopg2) to connect to PostgreSQL.
It was previously dev-only, causing database writes to fail in Docker
with "No module named 'psycopg2'".

https://claude.ai/code/session_013oAgzvWawNqytnCiPxUQPH
@Edwardvaneechoud
simplifying docs
bafd4cb
@Edwardvaneechoud
Reverting changes
933ab60
@Edwardvaneechoud
Revert changes in pyproject.toml
30b175a
@Edwardvaneechoud
Revert changes in poetry.lock
16464be
@Edwardvaneechoud
Adding stricter evaluation of polars_code_parser.py and add tests
962b88d
@netlify
Copy link
Copy Markdown

netlify bot commented Mar 16, 2026
edited
Loading

Deploy Preview for flowfile-wasm canceled.

Name Link
🔨 Latest commit 309c089
🔍 Latest deploy log https://app.netlify.com/projects/flowfile-wasm/deploys/69b862924fc96200080e5d76

@Edwardvaneechoud Edwardvaneechoud merged commit b4e723f into main Mar 16, 2026
14 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Edwardvaneechoud @claude