fix CVE-2024-33663 and bring in updates for social-auth-app-django (#6634)

2026-01-10 15:32:07 -03:30 · 2024-08-15 13:32:09 -04:00 · 2024-08-15 13:32:09 -04:00 · 467024bc54
commit 467024bc54
parent bdf3f81016
5 changed files with 8 additions and 58 deletions
--- a/awx/sso/middleware.py
+++ b/awx/sso/middleware.py
@ -17,6 +17,9 @@ from social_django.middleware import SocialAuthExceptionMiddleware


 class SocialAuthMiddleware(SocialAuthExceptionMiddleware):
+    def __call__(self, request):
+        return self.process_request(request)
+
    def process_request(self, request):
        if request.path.startswith('/sso'):
            # See upgrade blocker note in requirements/README.md
--- a/licenses/ecdsa.txt
+++ b/licenses/ecdsa.txt
@ -1,24 +0,0 @@
-"python-ecdsa" Copyright (c) 2010 Brian Warner
-
-Portions written in 2005 by Peter Pearson and placed in the public domain.
-
-Permission is hereby granted, free of charge, to any person
-obtaining a copy of this software and associated documentation
-files (the "Software"), to deal in the Software without
-restriction, including without limitation the rights to use,
-copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the
-Software is furnished to do so, subject to the following
-conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
-OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
-WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-OTHER DEALINGS IN THE SOFTWARE.
--- a/licenses/python-jose.txt
+++ b/licenses/python-jose.txt
@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2015 Michael Davis
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
--- a/requirements/requirements.in
+++ b/requirements/requirements.in
@ -56,8 +56,8 @@ python-ldap
 pyyaml>=6.0.1
 pyzstd  # otel collector log file compression library
 receptorctl
-social-auth-core[openidconnect]==4.4.2  # see UPGRADE BLOCKERs
-social-auth-app-django==5.4.0  # see UPGRADE BLOCKERs
+social-auth-core == 4.5.4 # hard pinned due to resolver picking CVE version when uncapped
+social-auth-app-django==5.4.2  # see UPGRADE BLOCKERs
 sqlparse>=0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96
 redis[hiredis]
 requests
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@ -174,8 +174,6 @@ djangorestframework-yaml==2.0.0
    # via -r /awx_devel/requirements/requirements.in
 docutils==0.20.1
    # via python-daemon
-ecdsa==0.18.0
-    # via python-jose
 enum-compat==0.0.3
    # via asn1
 filelock==3.13.1
@ -372,7 +370,6 @@ ptyprocess==0.7.0
 pyasn1==0.5.1
    # via
    #   pyasn1-modules
-    #   python-jose
    #   python-ldap
    #   rsa
    #   service-identity
@ -416,8 +413,6 @@ python-dateutil==2.8.2
    #   receptorctl
 python-dsv-sdk==1.0.4
    # via -r /awx_devel/requirements/requirements.in
-python-jose==3.3.0
-    # via social-auth-core
 python-ldap==3.4.4
    # via
    #   -r /awx_devel/requirements/requirements.in
@ -478,9 +473,7 @@ rpds-py==0.18.0
    #   jsonschema
    #   referencing
 rsa==4.9
-    # via
-    #   google-auth
-    #   python-jose
+    # via google-auth
 s3transfer==0.10.0
    # via boto3
 semantic-version==2.10.0
@ -496,7 +489,6 @@ six==1.16.0
    #   automat
    #   azure-core
    #   django-pglocks
-    #   ecdsa
    #   isodate
    #   kubernetes
    #   msrestazure
@ -509,9 +501,9 @@ slack-sdk==3.27.0
    # via -r /awx_devel/requirements/requirements.in
 smmap==5.0.1
    # via gitdb
-social-auth-app-django==5.4.0
+social-auth-app-django==5.4.2
    # via -r /awx_devel/requirements/requirements.in
-social-auth-core[openidconnect]==4.4.2
+social-auth-core==4.5.4
    # via
    #   -r /awx_devel/requirements/requirements.in
    #   social-auth-app-django