search

BingAds / BingAds-Python-SDK

Other
117 stars 162 forks source link

Reported security vulnerability in dependency "future". #233

Closed steve-mavens closed 1 year ago

steve-mavens commented 1 year ago

Dependabot has just thrown this at my bingads code: https://github.com/advisories/GHSA-v3c5-jqr6-7qm8

On a quick search of the head of your main branch, it looks to me as though the only use of future is several cases of from future.utils import with_metaclass. That's thoroughly harmless, and I'm confident guessing that it's not subject to a vulnerability in cookie-handling code! Nothing else in my application uses future, so I can dismiss my dependabot alert.

Still, it might be helpful to your users if you cut the dependency on future by specifying your metaclasses in Python 3 syntax (judging by your trove classifiers, you no longer support Python 2 anyway). I've never used with_metaclass before, but I believe that for example: class _BulkEntityIdentifier(with_metaclass(ABCMeta, _BulkObject)): translates to class _BulkEntityIdentifier(_BulkObject, metaclass=ABCMeta):.

The last release of future was 3 years ago, so I don't know whether that's still maintained. Perhaps it will respond to the advisory with a fix, in which case there's no need to change anything, but it doesn't look promising: https://github.com/PythonCharmers/python-future/pull/610

Even if you don't plan to change anything, I propose that this ticket might help anyone else who ends up here in the next few days because they got the same dependabot alert. Saves them doing the same check of the code :-)

If you are changing it, then while you're in there, there are some from __future__ import print_function and similar that are no longer needed provided you don't support Python 2.

wpwood commented 1 year ago

We're running into this issue, too. According to https://github.com/PythonCharmers/python-future/issues/612#issuecomment-1371996864, it doesn't look like future is going to be updated. They suggest removing future from usage, given that "It is supposed to help moving from Python 2 to 3. Python 2 has been dead for a long time."

Kache commented 1 year ago

Looks like v13.0.15 removes support for Python 2, but it missed removing the Python 2 compatibility deps like future and six

steve-mavens commented 1 year ago

v0.18.3 of future contains the fix to the cookie code: https://github.com/PythonCharmers/python-future/compare/v0.18.2...v0.18.3 https://github.com/PythonCharmers/python-future/commit/c91d70b34ef0402aef3e9d04364ba98509dca76f

qitia commented 1 year ago

yes we will remove six/future in vNext.