Merge pull request #4926 from linuxfoundation/unicron-address-codeql-and-dependabot-vulns

Unicron address codeql and dependabot vulns

Author: lukaszgryglicki

cla-backend-go/go.mod

@@ -2,7 +2,9 @@
 // SPDX-License-Identifier: MIT
 module github.com/linuxfoundation/easycla/cla-backend-go
 
-go 1.24
+go 1.24.0
+
+toolchain go1.24.4
 
 replace github.com/awslabs/aws-lambda-go-api-proxy => github.com/LF-Engineering/aws-lambda-go-api-proxy v0.3.2
 
@@ -68,12 +70,12 @@ require (
 require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.2.0
-	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
 	go.opentelemetry.io/otel v1.40.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0
 	go.opentelemetry.io/otel/sdk v1.40.0
+	go.opentelemetry.io/otel/trace v1.40.0
 )
 
 require (
@@ -131,7 +133,6 @@ require (
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
 	go.opentelemetry.io/otel/metric v1.40.0 // indirect
-	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
 	golang.org/x/text v0.33.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect

cla-backend-go/go.sum

@@ -285,10 +285,9 @@ github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/V
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
 github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/dep v0.5.4/go.mod h1:6RZ2Wai7dSWk7qL55sDYk+8UPFqcW7all2KDBraPPFA=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

cla-backend-go/package.json

@@ -31,6 +31,7 @@
   },
   "resolutions": {
     "axios": "^0.30.3",
+    "tar": "^7.5.10",
     "ansi-regex": "^5.0.1",
     "aws-sdk": "^2.1329.0",
     "cookiejar": "^2.1.4",
@@ -48,7 +49,6 @@
     "ws": ">=7.5.10",
     "xmlhttprequest-ssl": "^1.6.2",
     "form-data": "^4.0.4",
-    "tar": "^7.5.8",
     "minimatch": "^10.2.1",
     "fast-xml-parser": "^5.3.6"
   }

cla-backend-go/v2/sign/jwt.go

@@ -6,7 +6,7 @@ package sign
 import (
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 	log "github.com/linuxfoundation/easycla/cla-backend-go/logging"
 	"github.com/linuxfoundation/easycla/cla-backend-go/utils"
 	"github.com/sirupsen/logrus"

cla-backend-go/yarn.lock

@@ -5032,10 +5032,10 @@ tar-stream@^2.1.0, tar-stream@^2.2.0:
     inherits "^2.0.3"
     readable-stream "^3.1.1"
 
-tar@^6.1.15, tar@^7.5.8:
-  version "7.5.9"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.9.tgz#817ac12a54bc4362c51340875b8985d7dc9724b8"
-  integrity sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==
+tar@^6.1.15, tar@^7.5.10:
+  version "7.5.11"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.11.tgz#1250fae45d98806b36d703b30973fa8e0a6d8868"
+  integrity sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==
   dependencies:
     "@isaacs/fs-minipass" "^4.0.0"
     chownr "^3.0.0"

cla-backend/cla/models/github_models.py

@@ -182,7 +182,12 @@ def get_repository_id(self, repo_name, installation_id=None):
             cla.log.error("Unknown error while getting GitHub repository ID for repository %s: %s", repo_name, str(err))
 
     def received_activity(self, data):
-        cla.log.debug("github_models.received_activity - Received GitHub activity: %s", data)
+        cla.log.debug(
+            "github_models.received_activity - received GitHub activity action=%s pull_request=%s merge_group=%s",
+            data.get("action"),
+            "pull_request" in data,
+            "merge_group" in data,
+        )
         if "pull_request" not in data and "merge_group" not in data:
             cla.log.debug("github_models.received_activity - Activity not related to pull request - ignoring")
             return {"message": "Not a pull request nor a merge group  - no action performed"}
@@ -206,7 +211,7 @@ def received_activity(self, data):
 
     def user_from_session(self, request, get_redirect_url):
         fn = "github_models.user_from_session"
-        cla.log.debug(f"{fn} - loading session from request: {request}...")
+        cla.log.debug(f"{fn} - loading session from request")
         session = self._get_request_session(request)
         cla.log.debug(f"{fn} - session loaded (keys={list(session.keys())})")
 
@@ -217,7 +222,7 @@ def user_from_session(self, request, get_redirect_url):
             if user is None:
                 cla.log.debug(f"{fn} - cannot find user, returning HTTP 404 status")
             else:
-                cla.log.debug(f"{fn} - loaded user {user.to_dict()} returning HTTP 200 status")
+                cla.log.debug(f"{fn} - loaded user returning HTTP 200 status")
             return user
 
         authorization_url, csrf_token = self.get_authorization_url_and_state(None, None, None, ["user:email"], state='user-from-session')
@@ -245,7 +250,7 @@ def sign_request(self, installation_id, github_repository_id, change_request_id,
         )
 
         # Not sure if we need a different token for each installation ID...
-        cla.log.debug(f"{fn} - Loading session from request: {request}...")
+        cla.log.debug(f"{fn} - Loading session from request")
         session = self._get_request_session(request)
         cla.log.debug(f"{fn} - Adding github details to session: {list(session.keys())} which is type: {type(session)}...")
         session["github_installation_id"] = installation_id
@@ -254,9 +259,9 @@ def sign_request(self, installation_id, github_repository_id, change_request_id,
 
         cla.log.debug(f"{fn} - Determining return URL from the inbound request...")
         origin_url = self.get_return_url(github_repository_id, change_request_id, installation_id)
-        cla.log.debug(f"{fn} - Return URL from the inbound request is {origin_url}")
+        cla.log.debug(f"{fn} - return URL resolved from inbound request")
         session["github_origin_url"] = origin_url
-        cla.log.debug(f'{fn} - Stored origin url in session as session["github_origin_url"] = {origin_url}')
+        cla.log.debug(f'{fn} - stored origin url in session')
 
         if "github_oauth2_token" in session:
             cla.log.debug(f"{fn} - Using existing session GitHub OAuth2 token")
@@ -278,7 +283,7 @@ def _get_request_session(self, request) -> dict:  # pylint: disable=no-self-use
         fn = "cla.models.github_models._get_request_session"
         session = request.context.get("session")
         if session is None:
-            cla.log.warning(f"{fn} - Session is empty for request: {request}")
+            cla.log.warning(f"{fn} - session is empty for request")
             session = {}
             request.context["session"] = session
 
@@ -355,7 +360,7 @@ def oauth2_redirect(self, state, code, request):  # pylint: disable=too-many-arg
         further requests and initiate the signing workflow.
         """
         fn = "github_models.oauth2_redirect"
-        cla.log.debug(f"{fn} - handling GitHub OAuth2 redirect with request: {dir(request)}")
+        cla.log.debug(f"{fn} - handling GitHub OAuth2 redirect callback")
         session = self._get_request_session(request)  # request.context['session']
 
         if "github_oauth2_state" in session:
@@ -388,7 +393,7 @@ def oauth2_redirect(self, state, code, request):  # pylint: disable=too-many-arg
             cla.log.debug(f"handling user-from-session callback")
             token_url = cla.conf["GITHUB_OAUTH_TOKEN_URL"]
             client_id = os.environ["GH_OAUTH_CLIENT_ID"]
-            cla.log.debug(f"{fn} - using client ID {client_id[0:5]}...")
+            cla.log.debug(f"{fn} - using configured GitHub OAuth client")
             client_secret = os.environ["GH_OAUTH_SECRET"]
             try:
                 token = self._fetch_token(client_id, state, token_url, client_secret, code)
@@ -401,7 +406,7 @@ def oauth2_redirect(self, state, code, request):  # pylint: disable=too-many-arg
             if user is None:
                 cla.log.debug(f"{fn} - cannot find user, returning HTTP 404 status")
             else:
-                cla.log.debug(f"{fn} - loaded user {user.to_dict()} returning HTTP 200 status")
+                cla.log.debug(f"{fn} - loaded user returning HTTP 200 status")
             return user.to_dict()
 
         # Get session information for this request.
@@ -414,11 +419,11 @@ def oauth2_redirect(self, state, code, request):  # pylint: disable=too-many-arg
         token_url = cla.conf["GITHUB_OAUTH_TOKEN_URL"]
         client_id = os.environ["GH_OAUTH_CLIENT_ID"]
         client_secret = os.environ["GH_OAUTH_SECRET"]
-        cla.log.debug(f"{fn} - fetching oauth2 token with client ID: {client_id[0:5]}..., token_url: {token_url}")
+        cla.log.debug(f"{fn} - fetching oauth2 token from configured GitHub endpoint")
         token = self._fetch_token(client_id, state, token_url, client_secret, code)
         cla.log.debug(f"{fn} - oauth2 token received - storing token in session")
         session["github_oauth2_token"] = token
-        cla.log.debug(f"{fn} - redirecting the user back to the console: {origin_url}")
+        cla.log.debug(f"{fn} - redirecting the user back to the contributor console")
         return self.redirect_to_console(installation_id, github_repository_id, change_request_id, origin_url, request)
 
     def redirect_to_console(self, installation_id, repository_id, pull_request_id, origin_url, request):

cla-backend/cla/utils.py

@@ -1240,10 +1240,7 @@ def get_authorization_url_and_state(client_id, redirect_uri, scope, authorize_ur
     if state is None:
         oauth = OAuth2Session(client_id, redirect_uri=redirect_uri, scope=scope)
         authorization_url, state = oauth.authorization_url(authorize_url)
-        cla.log.debug(
-            f"{fn} - initialized oauth session using the github oauth client id: {client_id[0:5]}... "
-            f"with the redirect_uri: {redirect_uri} and scope: {scope}"
-        )
+        cla.log.debug(f"{fn} - initialized oauth session for GitHub authorization flow")
         return authorization_url, state
     else:
         csrf_token = secrets.token_urlsafe(16)
@@ -1254,10 +1251,7 @@ def get_authorization_url_and_state(client_id, redirect_uri, scope, authorize_ur
         authorization_url, _ = oauth.authorization_url(authorize_url, state=encoded_state)
 
         # Logging
-        cla.log.debug(
-            f"{fn} - initialized oauth session using the github oauth client id: {client_id[0:5]}... "
-            f"with the redirect_uri: {redirect_uri} and scope: {scope}"
-        )
+        cla.log.debug(f"{fn} - initialized oauth session for GitHub authorization flow with custom state")
         return authorization_url, csrf_token
 
 

cla-backend/package.json

@@ -76,7 +76,7 @@
     "shell-quote": "^1.7.3",
     "simple-git": "^3.32.3",
     "ws": ">=7.5.10",
-    "tar": "^7.5.8",
+    "tar": "^7.5.10",
     "xmlhttprequest-ssl": "^1.6.2",
     "fast-xml-parser": "^5.3.6",
     "ajv": "8.18.0",

cla-backend/requirements.txt

@@ -33,7 +33,7 @@ pydocusign==2.2
 PyGithub==1.55
 pyparsing==2.4.5
 PyJWT==2.11.0
-cryptography==41.0.7
+cryptography==46.0.5
 python-dateutil==2.8.1
 requests==2.31.0
 requests-oauthlib==1.2.0

cla-backend/yarn.lock

@@ -5494,7 +5494,7 @@ signal-exit@^3.0.2, signal-exit@^3.0.7:
   resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9"
   integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==
 
-simple-git@^3.16.0, simple-git@^3.23.3, simple-git@^3.32.3:
+simple-git@^3.16.0, simple-git@^3.32.3:
   version "3.32.3"
   resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-3.32.3.tgz#1dd6030fd03df4533a9e5a941314335e6265055d"
   integrity sha512-56a5oxFdWlsGygOXHWrG+xjj5w9ZIt2uQbzqiIGdR/6i5iococ7WQ/bNPzWxCJdEUGUCmyMH0t9zMpRJTaKxmw==
@@ -5770,10 +5770,10 @@ tar-stream@^2.1.0, tar-stream@^2.2.0:
     inherits "^2.0.3"
     readable-stream "^3.1.1"
 
-tar@^6.1.15, tar@^7.5.8:
-  version "7.5.9"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.9.tgz#817ac12a54bc4362c51340875b8985d7dc9724b8"
-  integrity sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==
+tar@^6.1.15, tar@^7.5.10:
+  version "7.5.11"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.11.tgz#1250fae45d98806b36d703b30973fa8e0a6d8868"
+  integrity sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==
   dependencies:
     "@isaacs/fs-minipass" "^4.0.0"
     chownr "^3.0.0"