Reportlab dependency causes security warning

[khink]

When installing easy-thumbnails >=2.8, reportlab is pulled in, which had a security issue (https://security.snyk.io/vuln/SNYK-PYTHON-REPORTLAB-1022145):

All versions of package reportlab are vulnerable to Server-side Request
Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes &
trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan
Bamal: 1. Download and install the latest package of reportlab 2. Go to
demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to
be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/>
4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will
get a hit on your nc showing we have successfully proceded to send a server
side request 7. dodyssey.py will show error since there is no img file on
the url, but we are able to do SSRF

Does easy-thumbnails mitigate this, and if yes, how?

[xuhcc]

I think it should be optional dependency, along with svglib. Those who need SVG support always can install it manually.

[Mogost]

I fully support the idea that this dependency should be optional.

[tehfink]

Making reportlab optional would also help if you can't build it at the moment: https://stackoverflow.com/questions/69973873/symbol-not-found-in-flat-namespace-ft-done-face-from-reportlab-with-python3#comment125447843_69975866

[Mogost]

This issue may be closed.

[khink]

@Mogost Installing easy_thumbnails still pulls in reportlab, even without the [svg] extra:

$ pip install easy-thumbnails
Collecting easy-thumbnails
  Using cached easy_thumbnails-2.8.1-py3-none-any.whl (74 kB)
Collecting svglib
  Using cached svglib-1.2.1.tar.gz (896 kB)
Collecting reportlab
  Downloading reportlab-3.6.7-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (2.8 MB)
     |████████████████████████████████| 2.8 MB 12.6 MB/s 

[Mogost]

Sure. Fix is already in code. Just waiting for release.

[fdemmer]

May I kindly ask for the code to be released properly?

[jrief]

Hi Florian, just released 2.8.2. Please recheck. Sorry for the long delay and thanks for the reminder.

[jaap3]

Hi @jrief the new release causes issues because the VIL import is not guarded in all places in the easy-thumbnails codebase. For example: https://github.com/SmileyChris/easy-thumbnails/blob/92060b9fd7b617cab1ac88d149dc5021d43b35c3/easy_thumbnails/files.py#L17 has a unguarded from easy_thumbnails.VIL.Image import load, which breaks if reportlab isn't installed.