Skip to content

Vendor the PickleSerializer #2866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 8, 2024
Merged

Vendor the PickleSerializer #2866

merged 2 commits into from
Mar 8, 2024
+39 −1

Conversation

hmpf
Copy link
Contributor

@hmpf hmpf commented Mar 6, 2024
edited
Loading

Replaces #2852 and does not depend on #2828

The default has been JSONSerializer since after Django 1.6. /../ PickleSerializer has been deprecated since Django 4.1 and was removed in Django 5.0.

If using signed_cookies as the session engine, serializing with pickle is a security problem. We do not use signed_cookies, so we can continue to use PickleSerializer.

This vendored version makes the serializer incompatible with the signed_cookies engine just in case.

See also #2865

@hmpf hmpf self-assigned this Mar 6, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 6, 2024
edited
Loading

Test results

     12 files       12 suites   11m 39s ⏱️
3 320 tests 3 320 ✔️ 0 💤 0
9 435 runs  9 435 ✔️ 0 💤 0

Results for commit fc8c564.

♻️ This comment has been updated with latest results.

@hmpf hmpf force-pushed the vendor-session-serializer branch from cdedd70 to 3d0b008 Compare March 6, 2024 13:04
@codecov Codecov
Copy link

codecov bot commented Mar 6, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 92.30769% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 56.70%. Comparing base (9cfd877) to head (fc8c564).
Report is 8 commits behind head on master.

Files Patch % Lines
python/nav/web/session_serializer.py 91.66% 1 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2866   +/-   ##
=======================================
  Coverage   56.69%   56.70%           
=======================================
  Files         602      603    +1     
  Lines       43971    43983   +12     
=======================================
+ Hits        24931    24942   +11     
- Misses      19040    19041    +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hmpf hmpf force-pushed the vendor-session-serializer branch from 3d0b008 to 11234fb Compare March 7, 2024 09:00
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Mar 7, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@hmpf hmpf force-pushed the vendor-session-serializer branch from 11234fb to 679239a Compare March 7, 2024 09:40
@hmpf hmpf force-pushed the vendor-session-serializer branch from 679239a to 4986ee8 Compare March 7, 2024 11:51
lunkwill42
lunkwill42 requested changes Mar 8, 2024
View reviewed changes
Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, but the vendored-in module needs a docstring that explain why it's there: I.e. to make NAVs ancient methods keep working on Django 5 and newer...

@hmpf hmpf requested a review from lunkwill42 March 8, 2024 10:12
lunkwill42
lunkwill42 approved these changes Mar 8, 2024
View reviewed changes
Copy link
Member

@lunkwill42 lunkwill42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice :)

Hopefully we can get rid of the entire thing at some point...

@hmpf hmpf force-pushed the vendor-session-serializer branch from fc8c564 to 2234aa7 Compare March 8, 2024 10:44
@hmpf hmpf merged commit 7187a2d into Uninett:master Mar 8, 2024
@hmpf hmpf deleted the vendor-session-serializer branch March 8, 2024 10:44
@hmpf
Copy link
Contributor Author

hmpf commented Mar 8, 2024

If we find a good way to erase existing cookies stored with $old_serializer and forcing a new login then we can get rid of this file, yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunkwill42 lunkwill42 lunkwill42 approved these changes

@johannaengland johannaengland johannaengland approved these changes

@stveit stveit Awaiting requested review from stveit

Assignees

@hmpf hmpf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hmpf @lunkwill42 @johannaengland