-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: bump requests-cache to ^0.9 to mitigate a Arbitrary Code Execution issue in version 0.5.2 #331
base: master
Are you sure you want to change the base?
Conversation
@wookiesh thanks for your interest in the project I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in |
Hello Andy,
Thanks for the project, happily using it.
Regarding the version, that was just not to change the major version as it may introduce breaking changes.
For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in.
Of course I could remove them from the PR if you prefer ?
… On 6 May 2024, at 16:45, Andy Geach ***@***.***> wrote:
@wookiesh <https://github.com/wookiesh> thanks for your interest in the project
I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in project.toml?
—
Reply to this email directly, view it on GitHub <#331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAECSIYMXFC22NKVSCOAEFDZA6JSPAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGIYDSNJXGU>.
You are receiving this because you were mentioned.
|
Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317? I'd like to understand how (and why) people are using it. Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit |
Sure, I’ll comment, and indeed that would be great to add it as optional dependency :)
Btw, while I was fixing my PR, Snyk notified me of two other dependency issues:
Improper Input Validation affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6091621 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621>
Improper Input Validation affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6091622 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622>
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6209406 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209406>
HTTP Request Smuggling affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6209407 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407>
Cross-site Scripting (XSS) affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6645291 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6645291>
Infinite loop affecting package aiohttp. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-AIOHTTP-6808823 <https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6808823>
SNYK-PYTHON-AIOHTTP-6091621: Improper Input Validation affecting aiohttp package
Vulnerability | CVE-2023-49082 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-20 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-AIOHTTP-6091621 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html>
Fixed in: @3.9.0 | Exploit maturity: MEDIUM
Overview
Affected versions of this package are vulnerable to Improper Input Validation via the ClientSession method. An attacker can modify the HTTP request or create a new HTTP request if they control the HTTP method.
And
NULL Pointer Dereference affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321964 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964>
Buffer Overflow affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321966 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966>
Denial of Service (DoS) affecting package numpy. Upgrade to ***@***.*** Open SourceSNYK-PYTHON-NUMPY-2321970 <https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970>
SNYK-PYTHON-NUMPY-2321964: NULL Pointer Dereference affecting numpy package
Vulnerability | CVE-2021-41495 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-476 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-NUMPY-2321964 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html>
Fixed in: @1.22.2 | Exploit maturity: LOW
Overview
numpy <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> is a fundamental package needed for scientific computing with Python.
Affected versions of this package are vulnerable to NULL Pointer Dereference due to missing return-value validation in the PyArray_DescrNew function, which may allow attackers to conduct Denial of Service attacks by repetitively creating and sort arrays.
Note: This may likely only happen if application memory is already exhausted, as it requires the newdescr object of the PyArray_DescrNew to evaluate to NULL.
Remediation
Upgrade numpy to version 1.22.2 or higher.
(Pandas)
… On 7 May 2024, at 11:17, Andy Geach ***@***.***> wrote:
Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?
Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317 <#317>? I'd like to understand how (and why) people are using it.
Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit
—
Reply to this email directly, view it on GitHub <#331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAECSI5GA747IPMGZ5CPRETZBCL3VAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJXHAZTGMJUGM>.
You are receiving this because you were mentioned.
|
@wookiesh aiohttp is a transitive dependency on the lightstreamer client, so out of our hands. And the numpy dependency from pandas, which is optional and so up to the end user |
If you want this to be merged, please fix the whitespace changes |
…on issue in version 0.5.2
sorry, done |
There's some kind of build issue with Python 3.10 and pandas: https://github.com/ig-python/trading-ig/actions/runs/10399815604/job/28807850525 I don't have time to look into it currently |
Hi, did you manage to find some time to have a look ? |
@wookiesh merge the latest into your branch, should re-trigger the checks |
see https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTSCACHE-1089050
tests were run before and after installation to compare, and the result were similar:
17 failed, 92 passed, 3 skipped, 196 warnings, 49 errors
Most of the issues in the test suite were related to:
Failed: Integration test currently only works with a spreadbet account