daft is vulnerable to Exposure of Sensitive Information
53
Medium Risk
The SQLConnection class in daft/sql/sql_connection.py echoes the full database connection URL in read_sql RuntimeError messages and in SQLConnection.__repr__. When a query or connection fails, or the connection object is logged or displayed, secrets embedded in the URL such as userinfo passwords, access_token query parameters, and driver-specific extras are exposed in plaintext. Earlier releases only redacted user:password userinfo, so query-parameter tokens and passwords containing URL-special characters were still leaked. The fix stops echoing the connection URL entirely and shows only the dialect and driver.
You are affected if you are using a version that falls within the vulnerable range and use daft.read_sql with connection URLs that embed credentials.
daft is vulnerable to Exposure of Sensitive Information in versions 0.4.10 - 0.7.12.
Upgrade the daft library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant