Merge pull request #1922 from Scifabric/fix-cve-2019-7164

Fix CVE-2019-7164 and CVE-2019-7548
Scifabric · Apr 26, 2019 · 99a2485 · 99a2485
2 parents 06acd49 + d325796
commit 99a2485
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 13 deletions.
diff --git a/pybossa/repositories/__init__.py b/pybossa/repositories/__init__.py
@@ -42,8 +42,9 @@
 from pybossa.model.project import Project, TaskRun, Task
 from pybossa.model.announcement import Announcement
 from pybossa.model.project_stats import ProjectStats
+from sqlalchemy import text
 from sqlalchemy.sql import and_, or_
-from sqlalchemy import cast, Text, func, desc
+from sqlalchemy import cast, Text, func, desc, text
 from sqlalchemy.types import TIMESTAMP
 from sqlalchemy.orm.base import _entity_descriptor
 
@@ -178,7 +179,7 @@ def create_context(self, filters, fulltextsearch, model):
             query = query.add_column(headlines[0])
         if len(orders) > 0:
             query = query.add_column(orders[0])
-            query = query.order_by('rank DESC')
+            query = query.order_by(text('rank DESC'))
         return query
 
     def _set_orderby_desc(self, query, model, limit,
@@ -203,9 +204,9 @@ def _set_orderby_desc(self, query, model, limit,
                     query = query.order_by(getattr(model, orderby))
             else:
                 if descending:
-                    query = query.order_by(desc("n_favs"))
+                    query = query.order_by(desc(text("n_favs")))
                 else:
-                    query = query.order_by("n_favs")
+                    query = query.order_by(text("n_favs"))
         if last_id:
             query = query.limit(limit)
         else:

diff --git a/pybossa/sched.py b/pybossa/sched.py
@@ -99,7 +99,7 @@ def get_breadth_first_task(project_id, user_id=None, user_ip=None,
                    .filter(Task.id==Counter.task_id)\
                    .filter(Counter.task_id.in_(tmp))\
                    .group_by(Task.id)\
-                   .order_by('n_task_runs ASC')\
+                   .order_by(text('n_task_runs ASC'))\
 
     query = _set_orderby_desc(query, orderby, desc)
     data = query.limit(limit).offset(offset).all()

diff --git a/setup.py b/setup.py
@@ -25,7 +25,7 @@
     "ndg-httpsclient>=0.4.0, <1.0",     # fix for python below 2.7.9
     "pyasn1>=0.1.7, <1.0",              # fix for python below 2.7.9
     "requests>=2.2.1, <3.0",
-    "SQLAlchemy>=1.1.7, <1.1.8",
+    "SQLAlchemy>=1.3.0, <1.3.1",
     "six>=1.9.0, <2.0.0",
     "nose",
     "rednose",

diff --git a/test/test_auditlog.py b/test/test_auditlog.py
@@ -43,8 +43,8 @@ def test_project_create(self):
                 'short_name': 'new_short_name',
                 'description': 'new_description',
                 'long_description': 'new_long_description',
-                'allow_anonymous_contributors': 'False',
-                'zip_download': 'True'
+                'allow_anonymous_contributors': False,
+                'zip_download': True
                 }
         url = '/api/project?api_key=%s' % (user.api_key)
         self.app.post(url, data=json.dumps(data))
@@ -92,7 +92,7 @@ def test_project_update_attributes(self):
                 'short_name': 'new_short_name',
                 'description': 'new_description',
                 'long_description': 'new_long_description',
-                'allow_anonymous_contributors': 'False',
+                'allow_anonymous_contributors': False,
                 'info': {u'list': [1]}
                 }
         attributes = data.keys()
@@ -111,7 +111,7 @@ def test_project_update_attributes(self):
             assert log.attribute in attributes, (log.attribute, attributes)
             if log.attribute != 'list':
                 msg = "%s != %s" % (data[log.attribute], log.new_value)
-                assert data[log.attribute] == log.new_value, msg
+                assert unicode(data[log.attribute]) == log.new_value, msg
             else:
                 msg = "%s != %s" % (data['info'][log.attribute], log.new_value)
                 assert data['info'][log.attribute] == json.loads(log.new_value), msg
@@ -126,7 +126,7 @@ def test_project_update_attributes_admin(self):
                 'short_name': 'new_short_name',
                 'description': 'new_description',
                 'long_description': 'new_long_description',
-                'allow_anonymous_contributors': 'False',
+                'allow_anonymous_contributors': False,
                 }
         attributes = data.keys()
         url = '/api/project/%s?api_key=%s' % (project.id, admin.api_key)
@@ -142,7 +142,7 @@ def test_project_update_attributes_admin(self):
             assert log.caller == 'api', log.caller
             assert log.attribute in attributes, log.attribute
             msg = "%s != %s" % (data[log.attribute], log.new_value)
-            assert data[log.attribute] == log.new_value, msg
+            assert unicode(data[log.attribute]) == log.new_value, msg
 
     @with_context
     def test_project_update_attributes_non_owner(self):
@@ -154,7 +154,7 @@ def test_project_update_attributes_non_owner(self):
                 'short_name': 'new_short_name',
                 'description': 'new_description',
                 'long_description': 'new_long_description',
-                'allow_anonymous_contributors': 'False',
+                'allow_anonymous_contributors': False,
                 }
         url = '/api/project/%s?api_key=%s' % (project.id, user.api_key)
         self.app.put(url, data=json.dumps(data))