fix: CVE fixes, update werkzeug #1967
Conversation
Updates werkzeug for CVE-2024-34069 Signed-off-by: Mike Marchetti <mfmarche@gmail.com>
|
I opened issue #1969 for exactly this problem before finding this PR. Thanks for this! I hope the maintainers review and comment soon. |
| @@ -8,17 +8,20 @@ envlist = | |||
| {py37}-{min,pypi,dev} | |||
| {py38}-{min,pypi,dev} | |||
| {py39}-{min,pypi,dev} | |||
| {py310}-{min,pypi,dev} | |||
| isort-check | |||
There was a problem hiding this comment.
Probably should add py311 also, please. I tried that, and that brings new problems. In Py3.11 the collections module had some breaking (?) changes
ImportError while loading conftest '/Users/me/git/github/connexion_mfmarche/tests/conftest.py'.
/Users/me/git/github/connexion-mfmarche/tests/conftest.py:7: in <module>
???
connexion/__init__.py:14: in <module>
from .apis import AbstractAPI # NOQA
connexion/apis/__init__.py:16: in <module>
from .abstract import AbstractAPI # NOQA
connexion/apis/abstract.py:14: in <module>
from ..exceptions import ResolverError
connexion/exceptions.py:7: in <module>
from jsonschema.exceptions import ValidationError
.tox/py311-min/lib/python3.11/site-packages/jsonschema/__init__.py:18: in <module>
from jsonschema.validators import (
.tox/py311-min/lib/python3.11/site-packages/jsonschema/validators.py:8: in <module>
import requests
.tox/py311-min/lib/python3.11/site-packages/requests/__init__.py:58: in <module>
from . import utils
.tox/py311-min/lib/python3.11/site-packages/requests/utils.py:30: in <module>
from .cookies import RequestsCookieJar, cookiejar_from_dict
.tox/py311-min/lib/python3.11/site-packages/requests/cookies.py:164: in <module>
class RequestsCookieJar(cookielib.CookieJar, collections.MutableMapping):
E AttributeError: module 'collections' has no attribute 'MutableMapping'
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| @@ -31,7 +34,10 @@ commands= | |||
| pypi: pip install --upgrade -r {toxworkdir}/requirements-pypi.txt | |||
| dev: requirements-builder --level=dev --extras aiohttp --req=requirements-devel.txt -o {toxworkdir}/requirements-dev.txt setup.py | |||
| dev: pip install --upgrade -r {toxworkdir}/requirements-dev.txt | |||
| python setup.py test | |||
| python setup.py pytest {posargs} | |||
There was a problem hiding this comment.
There's a /lot/ going on in the tox setup/run commands that I don't understand, like dynamically creating requirements files such as requirements-min.txt. The tests get quite far but still fail with the old line (just test). The change from test to pytest changes the behavior significantly, and the tests still fail. From asking the cloud, I believe the invocation python setup.py is deprecated and has to be changed at this point bcos of this warning:
/Users/me/git/github/connexion_mfmarche/.tox/py311-min/lib/python3.11/site-packages/setuptools/__init__.py:81: _DeprecatedInstaller: setuptools.installer and fetch_build_eggs are deprecated.
!!
********************************************************************************
Requirements should be satisfied by a PEP 517 installer.
If you are using pip, you can try `pip install --use-pep517`.
********************************************************************************
!!
dist.fetch_build_eggs(dist.setup_requires)
| @@ -10,7 +10,8 @@ | |||
|
|
|||
| import flask | |||
| import werkzeug.exceptions | |||
| from flask import json, signals | |||
| from flask import signals | |||
| import json | |||
There was a problem hiding this comment.
I think adding this import on this line causes the check for properly sorted imports to fail ("isort"). Still trying to figure it out tho.
There was a problem hiding this comment.
ok will move that around.
There was a problem hiding this comment.
Cool, this is the position that isort accepted for me:
diff --git a/connexion/apps/flask_app.py b/connexion/apps/flask_app.py
index 6a7e61d..ada9c57 100644
--- a/connexion/apps/flask_app.py
+++ b/connexion/apps/flask_app.py
@@ -3,6 +3,7 @@ This module defines a FlaskApp, a Connexion application to wrap a Flask applicat
"""
import datetime
+import json
import logging
import pathlib
from decimal import Decimal
@@ -11,7 +12,6 @@ from types import FunctionType # NOQA
import flask
import werkzeug.exceptions
from flask import signals
-import json
from ..apis.flask_api import FlaskApi
from ..exceptions import ProblemException
|
I cannot comment on the line or file because you didn't touch it in this PR, I recommend bumping the version in |
|
Finally realized I had used a hyphen in the cloned directory name and that caused problems, sorry for my confusion. I installed python3.9, now https://werkzeug.palletsprojects.com/en/3.0.x/test/#werkzeug.test.Client.set_cookie |
|
I solved the |
| @@ -25,7 +25,7 @@ def read_version(package): | |||
| 'PyYAML>=5.1,<7', | |||
| 'requests>=2.9.1,<3', | |||
| 'inflection>=0.3.1,<0.6', | |||
| 'werkzeug>=1.0,<2.3', | |||
| 'werkzeug>=1.0,<4.0', | |||
There was a problem hiding this comment.
since werkzeug versions below 3.x have security vulnerabilities, I suggest:
'werkzeug>=3.0,<4.0',
That change brings the next challenge:
ERROR: Cannot install -r /Users/me/git/github/connexion_mfmarche/.tox/requirements-min.txt (line 12) and MarkupSafe==0.23 because these package versions have conflicting dependencies.
The conflict is caused by:
The user requested MarkupSafe==0.23
werkzeug 3.0.0 depends on MarkupSafe>=2.1.1
|
@mfmarche I think this PR is exactly on point and will benefit many people including me, do you still have time to push this along? |
Hi @chrisinmtown, yes have every intention to push along. I will take your comments, thank you for providing those. However, i'm not sure if this will ever get pushed by upstream into the v2 branch? Do you have suggestions how to proceed? |
Unfortunately for all of us connexion users, I have no suggestions. You might comment on this issue that I wrote, trying to get a reply from the new maintainers: #1973 |
| 'pytest-cov>=2,<3', | ||
| 'testfixtures>=6,<7', | ||
| 'pytest', |
There was a problem hiding this comment.
Three lines above the pytest dependency is set to pytest>=6,<9, is this unpinned duplicate setting a typo?
Updates werkzeug for CVE-2024-34069
Fixes # .
Changes proposed in this pull request: