Skip to content

Ignore gdal vulnerability and django upgrades #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 9, 2025
Merged

Ignore gdal vulnerability and django upgrades #140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions docker/app/run_tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,25 @@ else
fi

# Ignore vulnerability found in gdal version 3.6.2
# @TODO Remove this once the base image includes GDAL>=3.8.0
# @TODO Remove these once the base image includes GDAL>=3.8.0
# Vulnerability ID: 62283
# Affected spec: <3.8.0
# ADVISORY: Gdal 3.8.0 backports a security fix for CVE-2023-45853: MiniZip
# in zlib through 1.3 has an integer overflow.
# Affected spec: <3.8.0
# ADVISORY: Gdal 3.8.0 backports a security fix for CVE-2023-45853: MiniZip
# in zlib through 1.3 has an integer overflow.
# Vulnerability ID: 74054
# Affected spec: <3.9.3
# ADVISORY: Affected versions of GDAL's GMLAS driver are vulnerable
# to XML Entity Expansion attacks (Billion Laughs attack). This
# vulnerability can lead to a Denial of Service (DoS) by causing excessive
# resource consumption when parsing specially crafted XML files with
# recursive entity definitions. The attack vector involves feeding malicious
# XML content to the GMLAS driver, exploiting the unlimited entity expansion
# during parsing. The vulnerability exists in the GMLASReader class's XML
# parsing functions that lack restrictions on entity expansion. An attacker
# can exploit this by providing a crafted XML input to any application using
# the vulnerable GMLAS driver, potentially rendering the application
# unresponsive. The issue is mitigated by introducing a limit on entity
# expansions and aborting parsing when the limit is exceeded.

# Ignore vulnerability found in jinja2 version 3.1.4
# We do not allow any untrusted templates, and so are not affected.
Expand All @@ -51,9 +65,9 @@ fi
# third parties believe that this vulnerability isn't valid because users
# shouldn't use untrusted templates without sandboxing.
# CVE-2019-8341

echo Package Vulnerabilities:
pip freeze | safety check --stdin --full-report -i 62283 -i 70612
pip freeze | safety check --stdin --full-report -i 62283 -i 70612 -i 74054
SAFETY_RESULT=$?

# Suppress SAFETY_RESULT unless CHECK_SAFETY is set
Expand Down
2 changes: 1 addition & 1 deletion requirements/base.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ dagster-pipes==1.6.8
dagster-postgres==0.22.8
dagster-webserver==1.6.8
ddtrace==2.6.2
Django==5.1.1
Django==5.1.4
django-binary-database-files==1.0.18
django-environ==0.11.2
django-extensions==3.2.3
Expand Down
Loading