search

4k4xs4pH1r3 / Astra

Automated Security Testing For REST API's
Apache License 2.0
0 stars 0 forks source link

Bump the pip group across 2 directories with 3 updates #32

Closed dependabot[bot] closed 2 months ago

dependabot[bot] commented 3 months ago

Bumps the pip group with 3 updates in the / directory: jinja2, pymongo and requests. Bumps the pip group with 1 update in the /SSRFmap directory: requests.

Updates jinja2 from 3.0.3 to 3.1.3

Release notes

Sourced from jinja2's releases.

3.1.3

This is a fix release for the 3.1.x feature branch.

3.1.2

This is a fix release for the 3.1.0 feature release.

3.1.1

3.1.0

This is a feature release, which includes new features and removes previously deprecated features. The 3.1.x branch is now the supported bugfix branch, the 3.0.x branch has become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades. We also encourage upgrading to MarkupSafe 2.1.1, the latest version at this time.

Changelog

Sourced from jinja2's changelog.

Version 3.1.3

Released 2024-01-10

  • Fix compiler error when checking if required blocks in parent templates are empty. :pr:1858
  • xmlattr filter does not allow keys with spaces. GHSA-h5c8-rqwp-cp95
  • Make error messages stemming from invalid nesting of {% trans %} blocks more helpful. :pr:1918

Version 3.1.2

Released 2022-04-28

  • Add parameters to Environment.overlay to match __init__. :issue:1645
  • Handle race condition in FileSystemBytecodeCache. :issue:1654

Version 3.1.1

Released 2022-03-25

  • The template filename on Windows uses the primary path separator. :issue:1637

Version 3.1.0

Released 2022-03-24

  • Drop support for Python 3.6. :pr:1534

  • Remove previously deprecated code. :pr:1544

    • WithExtension and AutoEscapeExtension are built-in now.
    • contextfilter and contextfunction are replaced by pass_context. evalcontextfilter and evalcontextfunction are replaced by pass_eval_context. environmentfilter and environmentfunction are replaced by pass_environment.
    • Markup and escape should be imported from MarkupSafe.
    • Compiled templates from very old Jinja versions may need to be recompiled.
    • Legacy resolve mode for Context subclasses is no longer supported. Override resolve_or_missing instead of

... (truncated)

Commits


Updates pymongo from 3.13.0 to 4.6.3

Release notes

Sourced from pymongo's releases.

PyMongo 4.6.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-2-released/267404

PyMongo 4.6.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-1-released/255752

PyMongo 4.6.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-6-0-released/251866

PyMongo 4.5.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-5-0-released/240662

PyMongo 4.4.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-1-released/235045

PyMongo 4.4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-released/232211

PyMongo 4.4.0b0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-4-0b0-release/210471

PyMongo 4.3.3

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-3-release/200145

PyMongo 4.3.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-3-2-released/194266

PyMongo 4.2.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-2-0-released/176012

PyMongo 4.2.0b0

Release notes: https://www.mongodb.com/community/forums/t/python-driver-4-2-0-beta-available/168488

PyMongo 4.1.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-1-released/157895

PyMongo 4.1.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-1-0-released/156029

PyMongo 4.0.2

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-2-released/150457

PyMongo 4.0.1

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-1-released/135979

PyMongo 4.0

Release notes: https://www.mongodb.com/community/forums/t/pymongo-4-0-released/134677

Changelog

Sourced from pymongo's changelog.

Changelog

Changes in Version 4.7

PyMongo 4.7 brings a number of improvements including:

  • Added the :class:pymongo.hello.Hello.connection_id, :attr:pymongo.monitoring.CommandStartedEvent.server_connection_id, :attr:pymongo.monitoring.CommandSucceededEvent.server_connection_id, and :attr:pymongo.monitoring.CommandFailedEvent.server_connection_id properties.

  • Fixed a bug where inflating a :class:~bson.raw_bson.RawBSONDocument containing a :class:~bson.code.Code would cause an error.

  • Significantly improved the performance of encoding BSON documents to JSON.

  • Support for named KMS providers for client side field level encryption. Previously supported KMS providers were only: aws, azure, gcp, kmip, and local. The KMS provider is now expanded to support name suffixes (e.g. local:myname). Named KMS providers enables more than one of each KMS provider type to be configured. See the docstring for :class:~pymongo.encryption_options.AutoEncryptionOpts. Note that named KMS providers requires pymongocrypt >=1.9 and libmongocrypt >=1.9.

  • :meth:~pymongo.encryption.ClientEncryption.encrypt and :meth:~pymongo.encryption.ClientEncryption.encrypt_expression now allow key_id to be passed in as a :class:uuid.UUID.

  • Fixed a bug where :class:~bson.int64.Int64 instances could not always be encoded by orjson_. The following now works::

    import orjson from bson import json_util orjson.dumps({'a': Int64(1)}, default=json_util.default, option=orjson.OPT_PASSTHROUGH_SUBCLASS)

.. _orjson: https://github.com/ijl/orjson

  • Fixed a bug appearing in Python 3.12 where "RuntimeError: can't create new thread at interpreter shutdown" could be written to stderr when a MongoClient's thread starts as the python interpreter is shutting down.
  • Added a warning when connecting to DocumentDB and CosmosDB clusters. For more information regarding feature compatibility and support please visit mongodb.com/supportability/documentdb <https://mongodb.com/supportability/documentdb>_ and mongodb.com/supportability/cosmosdb <https://mongodb.com/supportability/cosmosdb>_.
  • Added the :attr:pymongo.monitoring.ConnectionCheckedOutEvent.duration, :attr:pymongo.monitoring.ConnectionCheckOutFailedEvent.duration, and :attr:pymongo.monitoring.ConnectionReadyEvent.duration properties.
  • Added the type and kwargs arguments to :class:~pymongo.operations.SearchIndexModel to enable creating vector search indexes in MongoDB Atlas.
  • Fixed a bug where read_concern and write_concern were improperly added to :meth:~pymongo.collection.Collection.list_search_indexes queries.

Unavoidable breaking changes ............................

... (truncated)

Commits
  • 8da192f BUMP 4.6.3
  • 56b6b6d PYTHON-4305 Fix bson size check (#1564)
  • 449d0f3 BUMP to 4.6.3.dev0
  • e04576d DEVPROD-3871 Use teardown_task when there is one function/command (#1533)
  • cf1c6a1 PYTHON-4219 Prep for 4.6.2 Release (#1530)
  • d29b2b7 PYTHON-4147 [v4.6]: Silence noisy thread.start() RuntimeError at shutdown (#1...
  • 0477b9b PYTHON-4077 [v4.6]: Ensure there is a MacOS wheel for Python 3.7 (#1527)
  • ecad17d BUMP 4.6.2.dev0
  • 485e0a5 BUMP 4.6.1
  • 995365c PYTHON-4038 [v4.6]: Ensure retryable read OperationFailures re-raise except...
  • Additional commits viewable in compare view


Updates requests from 2.21.0 to 2.31.0

Release notes

Sourced from requests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

v2.29.0

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

... (truncated)

Changelog

Sourced from requests's changelog.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

2.28.2 (2023-01-12)

... (truncated)

Commits


Updates requests from 2.21.0 to 2.31.0

Release notes

Sourced from requests's releases.

v2.31.0

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

v2.30.0

2.30.0 (2023-05-03)

Dependencies

v2.29.0

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

... (truncated)

Changelog

Sourced from requests's changelog.

2.31.0 (2023-05-22)

Security

  • Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to potential forwarding of Proxy-Authorization headers to destination servers when following HTTPS redirects.

    When proxies are defined with user info (https://user:pass@proxy:8080), Requests will construct a Proxy-Authorization header that is attached to the request to authenticate with the proxy.

    In cases where Requests receives a redirect response, it previously reattached the Proxy-Authorization header incorrectly, resulting in the value being sent through the tunneled connection to the destination server. Users who rely on defining their proxy credentials in the URL are strongly encouraged to upgrade to Requests 2.31.0+ to prevent unintentional leakage and rotate their proxy credentials once the change has been fully deployed.

    Users who do not use a proxy or do not supply their proxy credentials through the user information portion of their proxy URL are not subject to this vulnerability.

    Full details can be read in our Github Security Advisory and CVE-2023-32681.

2.30.0 (2023-05-03)

Dependencies

2.29.0 (2023-04-26)

Improvements

  • Requests now defers chunked requests to the urllib3 implementation to improve standardization. (#6226)
  • Requests relaxes header component requirements to support bytes/str subclasses. (#6356)

2.28.2 (2023-01-12)

... (truncated)

Commits


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/4k4xs4pH1r3/Astra/network/alerts).
secure-code-warrior-for-github[bot] commented 3 months ago

Micro-Learning Topic: Race condition (Detected by phrase)

Matched on "race condition"

What is this? (2min video)

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "SSRF"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

difflens[bot] commented 3 months ago

View changes in DiffLens

dependabot[bot] commented 2 months ago

Superseded by #34.