search

benjaminp / six

Python 2 and 3 compatibility library
https://six.readthedocs.io/
MIT License
987 stars 274 forks source link

SIX new version #374

Open akrattan opened 1 year ago

akrattan commented 1 year ago

Hello,

we are looking for a new release plan for SIX. Is there any plan for release as I can see the last version is in 2021.

benjaminp commented 1 year ago

Why? There haven't been many changes since 2021.

akrattan commented 1 year ago

If any unforeseen issue/vulnerability comes, a fix will be available in the next version?.

benjaminp commented 1 year ago

Yes, it's not too hard to make a release.

racswebdev commented 7 months ago

Hello, I am getting code vulnerability when I am using this library, mainly in these lines - (I am working with pyawscron and dynamodb-json module which are installing this module). I want to know where you are using the six module (six.py file) dependency and if can we remove the six module which is dependent as I am getting AWS Inspector (AWS Cloud) vulnerability in the below line.

Title = CWE-77,78,88 - OS command injection Detector name = OS command injection Vulnerable line = Line ( #735) - exec("""exec code in globs, locs""") and the similar lines in different parts of the code.

Refer this file for exact line (#735) - six.py

I am not sure how exactly I can fix it, also my second requirement is as now I am mostly dealing with python3-related codes for a long time and now I don't require python2-related things, but I am also not sure if some applications under the hood are using python2, I need to verify that. I am here to ask if there is a security fix for this or if there is any custom solution. please let me know how can i deal with my applications as I am getting code vulnerability issues.

As I am using pyawscron and dynamodb-json modules, six module is by default getting installed. As we are using this in our organizational code & we are getting the vulnerability from AWS, and we need to fix this vulnerability. Still, I didn't have any clue about this as I cannot ignore this, what options do I have now to deal with this vulnerability? My concern is that if we touch the 3rd party module files as it can break something other in the code or a different code file where it has been used, but now the question is what options we have, I have also searched the alternative modules but I didn't find anything. Please have WORKAROUND or something which I can try and resolve this.

Thanks