-
Notifications
You must be signed in to change notification settings - Fork 0
[Cycode] Fix for vulnerable manifest file dependency - requests updated to version 2.32.0 #139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: chantanna-patch-1
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -1,5 +1,5 @@ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| -r ../dev-requirements.txt | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| sphinx>3.0.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| requests>=2,<2.16 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| requests==2.32.0 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Check failure on line 3 in gitea/repositories/white-rabbit/docs/requirements.txt
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerability found in newly introduced dependency.
ImpactDue to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. WorkaroundsFor older versions of Requests, use of the .netrc file can be disabled with Referencespsf/requests#6965 DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerabilities found in newly introduced dependency.
The following vulnerabilities were introduced:
Highest fixed version: 2.33.0 DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| furo | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| sphinx-copybutton | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❗Cycode: Security vulnerability found in newly introduced dependency.
requestsrequests 2.32.02.33.0Impact
The
requests.utils.extract_zipped_paths()utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.Affected usages
Standard usage of the Requests library is not affected by this vulnerability. Only applications that call
extract_zipped_paths()directly are impacted.Remediation
Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.
If developers are unable to upgrade, they can set
TMPDIRin their environment to a directory with restricted write access.Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands: