new filer (2.1) reportlab dependency in safety check

[benzkji]

I use the safety package to check all of my dependencies used in a project. Since filer 2.1, reportlab is a dependency, as I know, used to transform svgs.

I found: - the still relevant CVE is "Server-side Request Forgery (SSRF) via img tags", not a critical issue, but if your organization requires a strict "no-CVE" policy, this could be a problem?

Is reportlab really required? Probably yes. So, we woule need to live with it, I guess?

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 91 packages, using free DB (updated once a month)                    |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| reportlab                  | 3.6.6     | >=0                      | 39642    |
+==============================================================================+

[bhrutledge]

This has been reported at https://github.com/SmileyChris/easy-thumbnails/issues/591. The next release of easy-thumbnails will make SVG support optional: https://github.com/SmileyChris/easy-thumbnails/pull/597. Could SVG support be optional in django-filer?

[benzkji]

would make sense.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[benzkji]

not stale at all.

[jbpenrath]

easy_thumbnails 2.8.2 has been released the 31th july and introduces optional SVG support. As django-filer does not pinned this dependency and does not install easy_thumbnails[svg], this update has broken my project based on django-filer. As a quick workaround, I can add easy_thumbnails[svg] to my project dependencies but I think it would be better if django-filer manages this issue.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[benzkji]

still not stale?

[jbpenrath]

From my side, the issue has been solved with https://github.com/django-cms/django-filer/pull/1305.

[benzkji]

the original issue was about security tools reporting reportlab as a security risk. depending on the project, you may not be allowed to install reportlab. so, for me the question that remains is: will filer also allow an installation without reportlab? I could totally understand if this is not a goal, though.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This will now be closed due to inactivity, but feel free to reopen it.

[tehfink]

Running into this dependency issue with django-filer 3.1.0

[benzkji]

1305 could help, to calm safety or pip-audit and the like. Though, when disabling svg support in easy thumbnails, you probably won't have it in filer either...not clear what happens in that case. You could just disable svg uploads (3+ only) see https://django-filer.readthedocs.io/en/latest/validation.html?highlight=svg#no-html-and-no-svg-upload , and things would be consisten and work as expected, without SVG support.

[benzkji]

Tough, if you want your SVG uploaded as "File", not as "Image", I guess you'll be out of luck.

[benzkji]

1433 might be of interest (one step further into knowing what happens without easy-thumbnails[svg])

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[fsbraun]

In filer 3.x plus SVG can be fully deactivated.

[benzkji]

wasn't easythumbnails[svg] explicitly added to filer's dependencies ( https://github.com/django-cms/django-filer/blob/master/setup.py#L10 )? For me that's ok...I could still disable SVG uploads, via settings. The original issue was about the safety check and it's report of reportlab as a security risk. But that seems gone.