New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(unused) vendored requests is vulnerable to CVE-2018-18074 #1608

Open
asottile opened this Issue Nov 16, 2018 · 7 comments

Comments

Projects
None yet
4 participants
@asottile
Copy link

asottile commented Nov 16, 2018

Assuming this history is correct, it is currently vendored at 2.7.0

Versions prior to 2.20.0 are vulnerable to this

See CVE-2018-18074

This vendored copy is not used by botocore itself any more, though some downstream libraries (such as pynamodb) are reaching into botocore's vendor directory and using it

@joguSD

This comment has been minimized.

Copy link
Contributor

joguSD commented Nov 19, 2018

Thanks for opening this issue, as you mention we no longer use this vendored version of requests directly in the SDK and have kept in the code base for backwards compatibility. Customers using the latest version of the SDKs are unaffected.

We're currently investigating options to protect customers that might be using the vendored version of requests.

@ztou

This comment has been minimized.

Copy link

ztou commented Nov 27, 2018

@joguSD : not sure about what is no longer use mean, if I search like: https://github.com/boto/botocore/search?l=Python&p=2&q=vendored, we can see there are lots of code still reference this vendored request, and we can't simple remove that folder manually even in the latest code base.

sample error:

  File "/venv/lib/python2.7/site-packages/botocore/exceptions.py", line 15, in <module>
    from botocore.vendored import requests
ImportError: cannot import name requests
@asottile

This comment has been minimized.

Copy link
Author

asottile commented Nov 27, 2018

@ztou the only use is exception base classes (which can pretty easily be switched) -- the actual requesting parts of request are unused (where the CVE lives)

@tmclaugh

This comment has been minimized.

Copy link

tmclaugh commented Jan 7, 2019

There's a bit of common wisdom out there to use from botocore.vendored import requests in your own application code. For AWS Lambda, it's one less dependency to package.

EDIT: Just seeing now that you announced deprecation in April 2018.

@asottile

This comment has been minimized.

Copy link
Author

asottile commented Jan 7, 2019

Same number of deps just one is sneaky ;) I'd be hard pressed to call it "wisdom" - - seems foolish to import from another module's compat / vendor modules and expect a stable api

@joguSD

This comment has been minimized.

Copy link
Contributor

joguSD commented Jan 7, 2019

Just as an update we've added deprecation warnings to real usage of the vendored requests package in this pr. In the long term, we're hoping to be able to remove the package entirely (or as much of it as possible).

@tmclaugh That usage pattern will almost certainly run into issues and we strongly recommend that people not use our vendored version of requests.

@asottile

This comment has been minimized.

Copy link
Author

asottile commented Jan 10, 2019

would it make sense to warnings.warn(FutureWarning, ...) in botocore/vendored/__init__.py?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment