Skip to content

Commit

Permalink
Merge pull request #1935 from Scifabric/fix-werkzeug-cve
Browse files Browse the repository at this point in the history 
fix(werkzeug): address CVE issue.
  • Loading branch information
@teleyinex
teleyinex committed Oct 25, 2019
2 parents 2bfd719 + cee56e1 commit 407d76f
Show file tree
Hide file tree
Showing 8 changed files with 150 additions and 116 deletions.
27 changes: 18 additions & 9 deletions pybossa/api/api_base.py
View file
Expand Up @@ -104,10 +104,10 @@ class APIBase(MethodView):
def refresh_cache(self, cls_name, oid):
"""Refresh the cache."""
if caching.get(cls_name):
if cls_name != 'Category':
caching.get(cls_name)['refresh'](oid)
else:
caching.get(cls_name)['refresh']
if cls_name != 'Category':
caching.get(cls_name)['refresh'](oid)
else:
caching.get(cls_name)['refresh']

def valid_args(self):
"""Check if the domain object args are valid."""
Expand Down Expand Up @@ -187,15 +187,17 @@ def _add_hateoas_links(self, item):
obj['task_runs'] = []
obj['result'] = None
task_runs = task_repo.filter_task_runs_by(task_id=item.id)
results = result_repo.filter_by(task_id=item.id, last_version=True)
results = result_repo.filter_by(
task_id=item.id, last_version=True)
for tr in task_runs:
obj['task_runs'].append(tr.dictize())
for r in results:
obj['result'] = r.dictize()

if item.__class__.__name__ == 'TaskRun':
tasks = task_repo.filter_tasks_by(id=item.task_id)
results = result_repo.filter_by(task_id=item.task_id, last_version=True)
results = result_repo.filter_by(
task_id=item.task_id, last_version=True)
obj['task'] = None
obj['result'] = None
for t in tasks:
Expand All @@ -215,7 +217,8 @@ def _add_hateoas_links(self, item):
stats = request.args.get('stats')
if stats:
if item.__class__.__name__ == 'Project':
stats = project_stats_repo.filter_by(project_id=item.id, limit=1)
stats = project_stats_repo.filter_by(
project_id=item.id, limit=1)
obj['stats'] = stats[0].dictize() if stats else {}

links, link = self.hateoas.create_links(item)
Expand Down Expand Up @@ -290,7 +293,8 @@ def _set_limit_and_offset(self):
except (ValueError, TypeError):
offset = 0
try:
orderby = request.args.get('orderby') if request.args.get('orderby') else 'id'
orderby = request.args.get(
'orderby') if request.args.get('orderby') else 'id'
except (ValueError, TypeError):
orderby = 'updated'
return limit, offset, orderby
Expand Down Expand Up @@ -322,6 +326,8 @@ def post(self):
return Response(json_response, mimetype='application/json')
except Exception as e:
content_type = request.headers.get('Content-Type')
if content_type is None:
content_type = []
if (cls_name == 'TaskRun'
and 'multipart/form-data' in content_type
and data):
Expand Down Expand Up @@ -488,7 +494,10 @@ def _file_upload(self, data):
only a few classes."""
cls_name = self.__class__.__name__.lower()
content_type = 'multipart/form-data'
if (content_type in request.headers.get('Content-Type') and
request_headers = request.headers.get('Content-Type')
if request_headers is None:
request_headers = []
if (content_type in request_headers and
cls_name in self.allowed_classes_upload):
tmp = dict()
for key in request.form.keys():
Expand Down
12 changes: 8 additions & 4 deletions pybossa/api/task_run.py
View file
Expand Up @@ -52,7 +52,8 @@ def check_can_post(self, project_id, task_id, user_ip_or_id):

def _update_object(self, taskrun):
"""Update task_run object with user id or ip."""
self.check_can_post(taskrun.project_id, taskrun.task_id, get_user_id_or_ip())
self.check_can_post(taskrun.project_id,
taskrun.task_id, get_user_id_or_ip())
task = task_repo.get_task(taskrun.task_id)
guard = ContributionsGuard(sentinel.master)

Expand All @@ -72,8 +73,8 @@ def _validate_project_and_task(self, taskrun, task):
if (task.project_id != taskrun.project_id):
raise Forbidden('Invalid project_id')
if taskrun.external_uid:
resp = jwt_authorize_project(task.project,
request.headers.get('Authorization'))
request_headers = request.headers.get('Authorization')
resp = jwt_authorize_project(task.project, request_headers)
if type(resp) == Response:
msg = json.loads(resp.data)['description']
raise Forbidden(msg)
Expand Down Expand Up @@ -102,7 +103,10 @@ def _file_upload(self, data):
only a few classes."""
cls_name = self.__class__.__name__.lower()
content_type = 'multipart/form-data'
if (content_type in request.headers.get('Content-Type') and
request_headers = request.headers.get('Content-Type')
if request_headers is None:
request_headers = []
if (content_type in request_headers and
cls_name in self.allowed_classes_upload):
data = dict()
for key in request.form.keys():
Expand Down
44 changes: 23 additions & 21 deletions setup.py
View file
Expand Up @@ -5,7 +5,8 @@
"beautifulsoup4>=4.3.2, <5.0",
"blinker>=1.3, <2.0",
"Flask-Babel>=0.9, <0.10",
"flask-login", # was pinned to Flask-Login==0.2.3 in the past. GitHub version 3.0+ is used now.
# was pinned to Flask-Login==0.2.3 in the past. GitHub version 3.0+ is used now.
"flask-login",
"Flask-Mail>=0.9.0, <1.0",
"misaka>=1.0.0, <2.0.0",
"Flask-Misaka>=0.2.0, <0.4.0",
Expand Down Expand Up @@ -43,7 +44,8 @@
"unidecode>=0.04.16, <0.05",
"flask-plugins",
"humanize",
"pbr>=1.0, <2.0", # keep an eye on pbr: https://github.com/rackspace/pyrax/issues/561
# keep an eye on pbr: https://github.com/rackspace/pyrax/issues/561
"pbr>=1.0, <2.0",
"feedparser",
"twitter>=1.17.1, <1.18",
"google-api-python-client>=1.5.0, <1.6.0",
Expand All @@ -65,36 +67,36 @@
"wtforms-components>=0.10.3, <0.10.4",
"yacryptopan",
"Faker",
"Werkzeug>=0.14.1, <0.14.2",
"Werkzeug>=0.15.3, <0.15.4",
"keyring>=13.2.1, <13.2.2",
"iiif-prezi>=0.2.9, <1.0.0"
]

setup(
name = 'pybossa',
version = '2.12.0',
packages = find_packages(),
install_requires = requirements,
name='pybossa',
version='2.12.0',
packages=find_packages(),
install_requires=requirements,
# only needed when installing directly from setup.py (PyPi, eggs?) and pointing to e.g. a git repo.
# Keep in mind that dependency_links are not used when installing with requirements.txt
# and need to be added redundant to requirements.txt in this case!
# Example:
# dependency_links = ['git+https://github.com/Hypernode/M2Crypto#egg=M2Crypto-0.22.dev'],
dependency_links = ['git+https://github.com/maxcountryman/flask-login.git@13af160b3fd14dfb5f35f9cdc3863771efe194eb#egg=Flask-Login',
'git+https://github.com/Scifabric/rq-dashboard.git#egg=rq-dashboard',
'git+https://github.com/Scifabric/flatten.git@5d57cc6336df277822305ad70b86adf8c6a1c947#egg=flatten_json',
],
dependency_links=['git+https://github.com/maxcountryman/flask-login.git@13af160b3fd14dfb5f35f9cdc3863771efe194eb#egg=Flask-Login',
'git+https://github.com/Scifabric/rq-dashboard.git#egg=rq-dashboard',
'git+https://github.com/Scifabric/flatten.git@5d57cc6336df277822305ad70b86adf8c6a1c947#egg=flatten_json',
],

# metadata for upload to PyPI
author = 'Scifabric LTD',
author_email = 'info@scifabric.com',
description = 'Open Source CrowdSourcing framework',
long_description = '''PYBOSSA is the ultimate crowdsourcing framework to analyze or enrich data that can't be processed by machines alone.''',
license = 'AGPLv3',
url = 'http://pybossa.com',
download_url = 'https://github.com/Scifabric/pybossa',
include_package_data = True,
classifiers = [
author='Scifabric LTD',
author_email='info@scifabric.com',
description='Open Source CrowdSourcing framework',
long_description='''PYBOSSA is the ultimate crowdsourcing framework to analyze or enrich data that can't be processed by machines alone.''',
license='AGPLv3',
url='http://pybossa.com',
download_url='https://github.com/Scifabric/pybossa',
include_package_data=True,
classifiers=[
'Development Status :: 5 - Production/Stable',
'Environment :: Console',
'Intended Audience :: Developers',
Expand All @@ -103,6 +105,6 @@
'Programming Language :: Python',
'Topic :: Software Development :: Libraries :: Python Modules'
],
entry_points = '''
entry_points='''
'''
)

0 comments on commit 407d76f

Please sign in to comment.