search

edina / nbexchange

External exchange for nbgrader
Other
6 stars 2 forks source link

Update dependency tornado to v6.3.3 [SECURITY] #141

Closed renovate[bot] closed 8 months ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tornado (source) ==6.1 -> ==6.3.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-28370

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.

GHSA-qppv-j76h-2rpx

Summary

Tornado interprets -, +, and _ in chunk length and Content-Length values, which are not allowed by the HTTP RFCs. This can result in request smuggling when Tornado is deployed behind certain proxies that interpret those non-standard characters differently. This is known to apply to older versions of haproxy, although the current release is not affected.

Details

Tornado uses the int constructor to parse the values of Content-Length headers and chunk lengths in the following locations:

tornado/http1connection.py:445

            self._expected_content_remaining = int(headers["Content-Length"])

tornado/http1connection.py:621

                content_length = int(headers["Content-Length"])  # type: Optional[int]

tornado/http1connection.py:671

            chunk_len = int(chunk_len_str.strip(), 16)

Because int("0_0") == int("+0") == int("-0") == int("0"), using the int constructor to parse and validate strings that should contain only ASCII digits is not a good strategy.

Release Notes

tornadoweb/tornado (tornado) ### [`v6.3.3`](https://togithub.com/tornadoweb/tornado/compare/v6.3.2...v6.3.3) [Compare Source](https://togithub.com/tornadoweb/tornado/compare/v6.3.2...v6.3.3) ### [`v6.3.2`](https://togithub.com/tornadoweb/tornado/compare/v6.3.1...v6.3.2) [Compare Source](https://togithub.com/tornadoweb/tornado/compare/v6.3.1...v6.3.2) ### [`v6.3.1`](https://togithub.com/tornadoweb/tornado/compare/v6.3.0...v6.3.1) [Compare Source](https://togithub.com/tornadoweb/tornado/compare/v6.3.0...v6.3.1) ### [`v6.3`](https://togithub.com/tornadoweb/tornado/compare/v6.2.0...v6.3.0) [Compare Source](https://togithub.com/tornadoweb/tornado/compare/v6.2.0...v6.3.0) ### [`v6.2`](https://togithub.com/tornadoweb/tornado/compare/v6.1.0...v6.2.0) [Compare Source](https://togithub.com/tornadoweb/tornado/compare/v6.1.0...v6.2.0)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

codecov[bot] commented 1 year ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (19ee804) 88.23% compared to head (ba29043) 88.23%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #141 +/- ## ======================================= Coverage 88.23% 88.23% ======================================= Files 72 72 Lines 6275 6275 ======================================= Hits 5537 5537 Misses 738 738 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

renovate[bot] commented 8 months ago

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (==6.3.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.