search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.61k stars 2.29k forks source link

Outdated version of Python requests in vendor/ #16158

Open fmarier opened 3 years ago

fmarier commented 3 years ago

Our vendored version of Python Requests (2.7.0) is very old (from 2015).

The SafetyDB warns about the following security vulnerability CVE-2018-18074:

    {
        "advisory": "The Requests package through 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.",
        "cve": "CVE-2018-18074",
        "id": "pyup.io-36546",
        "specs": [
            "<=2.19.1"
        ],
        "v": "<=2.19.1"
    },

which was fixed in 2.20.0 in 2018.

Additionally, the upstream repo has moved to https://github.com/psf/requests.

I grepped for vendor/requests in brave-core and only found the following reference outside of the vendor/requests/ and vendor/depot_tools/ directories:

$ grep -r vendor/requests *
DEPS:  "vendor/requests": "https://github.com/kennethreitz/requests@e4d59bedfd3c7f4f254f4f5d036587bcd8152458",

In other words, it doesn't look like it's used by anything.

fmarier commented 3 years ago

We also don't appear to be using vendor/boto:

$ grep -r vendor/boto *
DEPS:  "vendor/boto": "https://github.com/boto/boto@f7574aa6cc2c819430c1f05e9a1a1a666ef8169b",