fix: bump requests-cache to ^0.9 to mitigate a Arbitrary Code Execution issue in version 0.5.2

[wookiesh]

see https://security.snyk.io/vuln/SNYK-PYTHON-REQUESTSCACHE-1089050

tests were run before and after installation to compare, and the result were similar: 17 failed, 92 passed, 3 skipped, 196 warnings, 49 errors

Most of the issues in the test suite were related to: Failed: Integration test currently only works with a spreadbet account

[bug-or-feature]

@wookiesh thanks for your interest in the project

I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in project.toml?

[wookiesh]

Hello Andy,

Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?

On 6 May 2024, at 16:45, Andy Geach @.***> wrote:

@wookiesh https://github.com/wookiesh thanks for your interest in the project

I'm curious why you have chosen version ^0.9 when 1.2.0 is available? And why the whitespace edits to other unrelated lines in project.toml?

— Reply to this email directly, view it on GitHub https://github.com/ig-python/trading-ig/pull/331#issuecomment-2096209575, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAECSIYMXFC22NKVSCOAEFDZA6JSPAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJWGIYDSNJXGU. You are receiving this because you were mentioned.

[bug-or-feature]

Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?

Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317? I'd like to understand how (and why) people are using it.

Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit

[wookiesh]

Sure, I’ll comment, and indeed that would be great to add it as optional dependency :)

Btw, while I was fixing my PR, Snyk notified me of two other dependency issues:

Improper Input Validation affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6091621 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091621 Improper Input Validation affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6091622 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6091622 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6209406 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209406 HTTP Request Smuggling affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6209407 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6209407 Cross-site Scripting (XSS) affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6645291 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6645291 Infinite loop affecting package aiohttp. Upgrade to @. Open SourceSNYK-PYTHON-AIOHTTP-6808823 https://snyk.io/vuln/SNYK-PYTHON-AIOHTTP-6808823 SNYK-PYTHON-AIOHTTP-6091621: Improper Input Validation affecting aiohttp package

Vulnerability | CVE-2023-49082 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-20 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-AIOHTTP-6091621 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> Fixed in: @3.9.0 | Exploit maturity: MEDIUM

Overview Affected versions of this package are vulnerable to Improper Input Validation via the ClientSession method. An attacker can modify the HTTP request or create a new HTTP request if they control the HTTP method.

And

NULL Pointer Dereference affecting package numpy. Upgrade to @. Open SourceSNYK-PYTHON-NUMPY-2321964 https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321964 Buffer Overflow affecting package numpy. Upgrade to @. Open SourceSNYK-PYTHON-NUMPY-2321966 https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321966 Denial of Service (DoS) affecting package numpy. Upgrade to @.*** Open SourceSNYK-PYTHON-NUMPY-2321970 https://snyk.io/vuln/SNYK-PYTHON-NUMPY-2321970 SNYK-PYTHON-NUMPY-2321964: NULL Pointer Dereference affecting numpy package

Vulnerability | CVE-2021-41495 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | CWE-476 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> | SNYK-PYTHON-NUMPY-2321964 <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> Fixed in: @1.22.2 | Exploit maturity: LOW

Overview numpy <vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-sandbox/workbench/workbench.html> is a fundamental package needed for scientific computing with Python.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to missing return-value validation in the PyArray_DescrNew function, which may allow attackers to conduct Denial of Service attacks by repetitively creating and sort arrays.

Note: This may likely only happen if application memory is already exhausted, as it requires the newdescr object of the PyArray_DescrNew to evaluate to NULL.

Remediation Upgrade numpy to version 1.22.2 or higher.

(Pandas)

On 7 May 2024, at 11:17, Andy Geach @.***> wrote:

Hello Andy, Thanks for the project, happily using it. Regarding the version, that was just not to change the major version as it may introduce breaking changes. For the other edits, it’s vscode that reformatted the code and it seemed to fit the rest of the file so I let them in. Of course I could remove them from the PR if you prefer ?

Fair enough re the version. I realise that requests-cache should be an optional dependency like pandas, tenacity. I'll consider that option for a future release. Do you actually use the cache feature? If so, would you mind adding a comment to #317 https://github.com/ig-python/trading-ig/discussions/317? I'd like to understand how (and why) people are using it.

Yes please revert the whitespace changes. I'll make the formatting more consistent in another commit

— Reply to this email directly, view it on GitHub https://github.com/ig-python/trading-ig/pull/331#issuecomment-2097833143, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAECSI5GA747IPMGZ5CPRETZBCL3VAVCNFSM6AAAAABHH3PRB6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJXHAZTGMJUGM. You are receiving this because you were mentioned.

[bug-or-feature]

@wookiesh aiohttp is a transitive dependency on the lightstreamer client, so out of our hands. And the numpy dependency from pandas, which is optional and so up to the end user

[bug-or-feature]

If you want this to be merged, please fix the whitespace changes

[wookiesh]

sorry, done

[bug-or-feature]

There's some kind of build issue with Python 3.10 and pandas: https://github.com/ig-python/trading-ig/actions/runs/10399815604/job/28807850525

I don't have time to look into it currently