From 467024bc54a8bbb2a5a678395a6eb0f6defe6767 Mon Sep 17 00:00:00 2001 From: Jake Jackson Date: Thu, 15 Aug 2024 13:32:09 -0400 Subject: [PATCH] fix CVE-2024-33663 and bring in updates for social-auth-app-django (#6634) --- awx/sso/middleware.py | 3 +++ licenses/ecdsa.txt | 24 ------------------------ licenses/python-jose.txt | 21 --------------------- requirements/requirements.in | 4 ++-- requirements/requirements.txt | 14 +++----------- 5 files changed, 8 insertions(+), 58 deletions(-) delete mode 100644 licenses/ecdsa.txt delete mode 100644 licenses/python-jose.txt diff --git a/awx/sso/middleware.py b/awx/sso/middleware.py index f8b2b79741..59c2a3c0e3 100644 --- a/awx/sso/middleware.py +++ b/awx/sso/middleware.py @@ -17,6 +17,9 @@ from social_django.middleware import SocialAuthExceptionMiddleware class SocialAuthMiddleware(SocialAuthExceptionMiddleware): + def __call__(self, request): + return self.process_request(request) + def process_request(self, request): if request.path.startswith('/sso'): # See upgrade blocker note in requirements/README.md diff --git a/licenses/ecdsa.txt b/licenses/ecdsa.txt deleted file mode 100644 index 474479a2ce..0000000000 --- a/licenses/ecdsa.txt +++ /dev/null @@ -1,24 +0,0 @@ -"python-ecdsa" Copyright (c) 2010 Brian Warner - -Portions written in 2005 by Peter Pearson and placed in the public domain. - -Permission is hereby granted, free of charge, to any person -obtaining a copy of this software and associated documentation -files (the "Software"), to deal in the Software without -restriction, including without limitation the rights to use, -copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the -Software is furnished to do so, subject to the following -conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES -OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT -HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, -WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -OTHER DEALINGS IN THE SOFTWARE. diff --git a/licenses/python-jose.txt b/licenses/python-jose.txt deleted file mode 100644 index 59160df34b..0000000000 --- a/licenses/python-jose.txt +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2015 Michael Davis - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/requirements/requirements.in b/requirements/requirements.in index fd07d01f12..c92a2c87d3 100644 --- a/requirements/requirements.in +++ b/requirements/requirements.in @@ -56,8 +56,8 @@ python-ldap pyyaml>=6.0.1 pyzstd # otel collector log file compression library receptorctl -social-auth-core[openidconnect]==4.4.2 # see UPGRADE BLOCKERs -social-auth-app-django==5.4.0 # see UPGRADE BLOCKERs +social-auth-core == 4.5.4 # hard pinned due to resolver picking CVE version when uncapped +social-auth-app-django==5.4.2 # see UPGRADE BLOCKERs sqlparse>=0.4.4 # Required by django https://github.com/ansible/awx/security/dependabot/96 redis[hiredis] requests diff --git a/requirements/requirements.txt b/requirements/requirements.txt index 39b613996c..4a907bd5d4 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -174,8 +174,6 @@ djangorestframework-yaml==2.0.0 # via -r /awx_devel/requirements/requirements.in docutils==0.20.1 # via python-daemon -ecdsa==0.18.0 - # via python-jose enum-compat==0.0.3 # via asn1 filelock==3.13.1 @@ -372,7 +370,6 @@ ptyprocess==0.7.0 pyasn1==0.5.1 # via # pyasn1-modules - # python-jose # python-ldap # rsa # service-identity @@ -416,8 +413,6 @@ python-dateutil==2.8.2 # receptorctl python-dsv-sdk==1.0.4 # via -r /awx_devel/requirements/requirements.in -python-jose==3.3.0 - # via social-auth-core python-ldap==3.4.4 # via # -r /awx_devel/requirements/requirements.in @@ -478,9 +473,7 @@ rpds-py==0.18.0 # jsonschema # referencing rsa==4.9 - # via - # google-auth - # python-jose + # via google-auth s3transfer==0.10.0 # via boto3 semantic-version==2.10.0 @@ -496,7 +489,6 @@ six==1.16.0 # automat # azure-core # django-pglocks - # ecdsa # isodate # kubernetes # msrestazure @@ -509,9 +501,9 @@ slack-sdk==3.27.0 # via -r /awx_devel/requirements/requirements.in smmap==5.0.1 # via gitdb -social-auth-app-django==5.4.0 +social-auth-app-django==5.4.2 # via -r /awx_devel/requirements/requirements.in -social-auth-core[openidconnect]==4.4.2 +social-auth-core==4.5.4 # via # -r /awx_devel/requirements/requirements.in # social-auth-app-django