From 2296d811bbc9bd6d007e72f97e3ae18d56c4b5f9 Mon Sep 17 00:00:00 2001
From: Girum Bizuayehu <girum.bizuayehu@gmail.com>
Date: Thu, 9 Jan 2025 19:21:09 +0300
Subject: [PATCH] Ignore gdal vulnerability and django upgrades

---
 docker/app/run_tests.sh | 26 ++++++++++++++++++++------
 requirements/base.txt   |  2 +-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/docker/app/run_tests.sh b/docker/app/run_tests.sh
index 9971ae4..21934d8 100755
--- a/docker/app/run_tests.sh
+++ b/docker/app/run_tests.sh
@@ -34,11 +34,25 @@ else
 fi
 
 # Ignore vulnerability found in gdal version 3.6.2
-# @TODO Remove this once the base image includes GDAL>=3.8.0
+# @TODO Remove these once the base image includes GDAL>=3.8.0
 #   Vulnerability ID: 62283
-#   Affected spec: <3.8.0
-#   ADVISORY: Gdal 3.8.0 backports a security fix for CVE-2023-45853: MiniZip
-#   in zlib through 1.3 has an integer overflow.
+#     Affected spec: <3.8.0
+#     ADVISORY: Gdal 3.8.0 backports a security fix for CVE-2023-45853: MiniZip
+#     in zlib through 1.3 has an integer overflow.
+#  Vulnerability ID: 74054
+#     Affected spec: <3.9.3
+#     ADVISORY: Affected versions of GDAL's GMLAS driver are vulnerable
+#     to XML Entity Expansion attacks (Billion Laughs attack). This
+#     vulnerability can lead to a Denial of Service (DoS) by causing excessive
+#     resource consumption when parsing specially crafted XML files with
+#     recursive entity definitions. The attack vector involves feeding malicious
+#     XML content to the GMLAS driver, exploiting the unlimited entity expansion
+#     during parsing. The vulnerability exists in the GMLASReader class's XML
+#     parsing functions that lack restrictions on entity expansion. An attacker
+#     can exploit this by providing a crafted XML input to any application using
+#     the vulnerable GMLAS driver, potentially rendering the application
+#     unresponsive. The issue is mitigated by introducing a limit on entity
+#     expansions and aborting parsing when the limit is exceeded.
 
 # Ignore vulnerability found in jinja2 version 3.1.4
 # We do not allow any untrusted templates, and so are not affected.
@@ -51,9 +65,9 @@ fi
 #   third parties believe that this vulnerability isn't valid because users
 #   shouldn't use untrusted templates without sandboxing.
 #   CVE-2019-8341
-	
+
 echo Package Vulnerabilities:
-pip freeze | safety check --stdin --full-report -i 62283 -i 70612
+pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054
 SAFETY_RESULT=$?
 
 # Suppress SAFETY_RESULT unless CHECK_SAFETY is set
diff --git a/requirements/base.txt b/requirements/base.txt
index 623c4ea..2088519 100644
--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -5,7 +5,7 @@ dagster-pipes==1.6.8
 dagster-postgres==0.22.8
 dagster-webserver==1.6.8
 ddtrace==2.6.2
-Django==5.1.1
+Django==5.1.4
 django-binary-database-files==1.0.18
 django-environ==0.11.2
 django-extensions==3.2.3