Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Werkzeug + Flask vulnerabilities fixed with CKAN 2.10 #622

Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

Werkzeug + Flask vulnerabilities fixed with CKAN 2.10 #622

wants to merge 14 commits into from

Conversation

nickumia-reisys
Copy link
Contributor

@nickumia-reisys
new: werkzeug + flask vulnerabilities fixed with CKAN 2.10
57e68cc 
Beaker still doesn't have an upgrade path, so extend it
@nickumia-reisys nickumia-reisys marked this pull request as draft July 3, 2023 15:45
@nickumia-reisys nickumia-reisys marked this pull request as ready for review July 3, 2023 16:05
@nickumia-reisys
update: flask login
6b9be9d 
maxcountryman/flask-login#732
@nickumia-reisys
update: flask (again)
7335312 
Hoping to fix 'TypeError: send_file() got an unexpected keyword argument 'cache_timeout''
@nickumia-reisys
update: itsdanergous for newer flask dependency
aaae8a6
@nickumia-reisys
update: blinker for newer flask dependency
241a488
@nickumia-reisys
update: Flask-WTF to support newer flask
9b36f26 
 AttributeError: module 'flask.json' has no attribute 'JSONEncoder'
@nickumia-reisys
new: remove flask-multistatic dependency
a0b34e4 
it is a ckan 2.10 dependency, but it's breaking resource loading... it's not on ckan 'master', so let's try without it
@nickumia-reisys
new: custom multistatic repo for werkzeug+flask updates
860f48e
@nickumia-reisys nickumia-reisys mentioned this pull request Jul 5, 2023
Merged
@btylerburton btylerburton temporarily deployed to development July 6, 2023 18:48 — with GitHub Actions Inactive
@btylerburton btylerburton temporarily deployed to development July 6, 2023 18:49 — with GitHub Actions Inactive
@nickumia-reisys
revert: Flask + Werkzeug 2.1.x
12599c2 
I think the problem is with the 2.2.0 release
@nickumia-reisys
Copy link
Contributor Author

nickumia-reisys commented Jul 7, 2023
edited
Loading

I think we can safely say that we've narrowed the problem down to the CKAN middleware (more flask than werkzeug, although it might be a complex dependency). The issue is definitely something that broke with the 2.2.0 release of Flask: https://flask.palletsprojects.com/en/2.3.x/changes/#version-2-2-0

I've tested the following combination pairs:

Werkzeug Flask Success?
2.3.6 2.3.3
2.3.0 2.3.0
2.2.0 2.2.0
2.3.6 2.1.3
2.2.0 2.1.3
2.1.2 2.1.3 ✔️
2.0.3 2.0.3 ✔️

The latest 2.1.x versions work and then the code automatically breaks on the 2.2.0 bump.

@nickumia-reisys
Copy link
Contributor Author

Full upgrade of this depends on the following PR which is merged into main ckan, but has not been released yet.

@nickumia-reisys nickumia-reisys marked this pull request as draft July 7, 2023 20:50
This was referenced Jul 10, 2023
Open
Open
This was referenced Oct 3, 2023
Closed
Draft
@nickumia-reisys
Copy link
Contributor Author

See comment

@FuhuXia FuhuXia mentioned this pull request Jan 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nickumia-reisys @btylerburton @datagov-bot