Version conflict due to `requests` module dependency in several modules.

[random-robbie]

One line summary of the issue here.

Expected behavior

acstis -c -d "https://finnwea.com/" -vp

Actual behavior

root@69eaae37ad9f:/# acstis -c -siv -d "https://finnwea.com/" -vp
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 664, in _build_master
    ws.require(__requires__)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 981, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 872, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (requests 2.18.1 (/usr/local/lib/python3.7/site-packages), Requirement.parse('requests==2.18.4'), {'nyawc'})

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/acstis", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3142, in <module>
    @_call_aside
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3126, in _call_aside
    f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3155, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 666, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 679, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 872, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (requests 2.18.1 (/usr/local/lib/python3.7/site-packages), Requirement.parse('requests==2.18.4'), {'nyawc'})

Steps to reproduce the behavior

python 3.7 on debian stretch.

installed via

pip install git+https://github.com/tijme/angularjs-csti-scanner.git

[random-robbie]

requests 2.18.4 produces this

Installing collected packages: requests
  Found existing installation: requests 2.18.1
    Uninstalling requests-2.18.1:
      Successfully uninstalled requests-2.18.1
Successfully installed requests-2.18.4
root@f9c625bde903:/# scan http://angular-intro-plus.iamdenny.com/example/index.html
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 664, in _build_master
    ws.require(__requires__)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 981, in require
    needed = self.resolve(parse_requirements(requirements))
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 872, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (requests 2.18.4 (/usr/local/lib/python3.7/site-packages), Requirement.parse('requests==2.18.1'), {'acstis'})

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/acstis", line 6, in <module>
    from pkg_resources import load_entry_point
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3142, in <module>
    @_call_aside
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3126, in _call_aside
    f(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 3155, in _initialize_master_working_set
    working_set = WorkingSet._build_master()
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 666, in _build_master
    return cls._build_from_requirements(__requires__)
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 679, in _build_from_requirements
    dists = ws.resolve(reqs, Environment())
  File "/usr/local/lib/python3.7/site-packages/pkg_resources/__init__.py", line 867, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'requests==2.18.1' distribution was not found and is required by acstis
root@f9c625bde903:/#

not sure how to satisfy both requirements here for both verions

[tijme]

Hmm pretty weird. I actually thought it was possible to have multiple versions of modules installed at the same time (if installed using pip).

Anyway, it should now be fixed in commit 5d8af8cd8e9d767b03e35a7c428d8503cdf11d56 if all the unit-tests pass. Could you confirm if it works for you?

[random-robbie]

git clone -b develop https://github.com/tijme/angularjs-csti-scanner.git

root@0f7c7feafe62:/angularjs-csti-scanner# acstis -c -vp -iic -d "https://support.rockstargames.com"
Segmentation fault (core dumped)

[tijme]

Hmm, pretty weird that you're getting a segmentation fault. Do you have the possibility to post the core dump?

Anyway, I see you're using Python 3.7. ACSTIS is not supporting Python 3.7 (alpha) yet but I'll add it to the unit-tests to see if it works.

Another thing, if you're cloning the GIT repo you need to call acstis.py instead of acstis (unless you did a python setup.py install.

I'll take a look and see if I can reproduce the issue.

[random-robbie]

I can lower the version of python no problems.

i do run the python setup.py install to ensure everything is installed.

I will lower it down to 3.4 to see if that has any affect.

[random-robbie]

Lowering my version to 3.4 and running dev has worked I just need to find a site that has an XSS to test

[tijme]

I just tested it too, seems to work on Python versions lower than 3.7. 👍

[h4ck3rm1k3]

I also got a segfault on pip install with 3.7 for some module

[tijme]

Python 3.7 is not supported yet.