[Snyk] unlimited allocation of resources #3396

jason-upchurch · 2019-11-29T15:59:49Z

Issue may be related: #3422

Summary

a new security vulnerability was found by snyk. Upgrading pillow will require some wagtail and django[-related] package updates as well, i.e., there are dependency requirements beyond wagtail > pillow.

Allocation of Resources Without Limits or Throttling (new) [Medium Severity
[https://snyk.io/vuln/SNYK-PYTHON-PILLOW-536096] in Pillow@5.4.1
introduced by wagtail@2.2.1 > Pillow@5.4.1

Overview

pillow is a PIL fork.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. When reading specially crafted invalid image files, the library can either allocate very large amounts of memory or take an extremely long period of time to process the image.

Remediation

Upgrade pillow to version 6.2.0 or higher.

Completion Criteria

identify if used in a way that leaves us vulnerable and fix as needed

The text was updated successfully, but these errors were encountered:

jason-upchurch · 2019-11-29T16:05:04Z

dependency tree for current fec-cms python packages:

boto3==1.7.21
  - botocore [required: >=1.10.21,<1.11.0, installed: 1.10.84]
    - docutils [required: >=0.10, installed: 0.15.2]
    - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.4]
    - python-dateutil [required: >=2.1,<3.0.0, installed: 2.6.0]
      - six [required: >=1.5, installed: 1.13.0]
  - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.4]
  - s3transfer [required: >=0.1.10,<0.2.0, installed: 0.1.13]
    - botocore [required: >=1.3.0,<2.0.0, installed: 1.10.84]
      - docutils [required: >=0.10, installed: 0.15.2]
      - jmespath [required: >=0.7.1,<1.0.0, installed: 0.9.4]
      - python-dateutil [required: >=2.1,<3.0.0, installed: 2.6.0]
        - six [required: >=1.5, installed: 1.13.0]
CacheControl==0.11.5
  - requests [required: Any, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
cachetools==1.0.2
cfenv==0.5.2
  - furl [required: >=0.4.8, installed: 2.1.0]
    - orderedmultidict [required: >=1.0.1, installed: 1.0.1]
      - six [required: >=1.8.0, installed: 1.13.0]
    - six [required: >=1.8.0, installed: 1.13.0]
cg-django-uaa==1.3.0
  - django [required: >=1.8,<2.1, installed: 1.11.23]
    - pytz [required: Any, installed: 2019.3]
  - PyJWT [required: >=1.4.2, installed: 1.7.1]
  - requests [required: >=2.11.0, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
dj-database-url==0.4.2
django-audit-log==0.7.0
django-jinja==2.4.1
  - django [required: >=1.8, installed: 1.11.23]
    - pytz [required: Any, installed: 2019.3]
  - jinja2 [required: >=2.5, installed: 2.10.1]
    - MarkupSafe [required: >=0.23, installed: 1.1.1]
django-libsass==0.7
  - django-compressor [required: >=1.3, installed: 2.3]
    - django-appconf [required: >=1.0, installed: 1.0.3]
      - django [required: Any, installed: 1.11.23]
        - pytz [required: Any, installed: 2019.3]
      - six [required: Any, installed: 1.13.0]
    - rcssmin [required: ==1.0.6, installed: 1.0.6]
    - rjsmin [required: ==1.1.0, installed: 1.1.0]
  - libsass [required: >=0.7.0, installed: 0.19.4]
    - six [required: Any, installed: 1.13.0]
django-storages==1.7.1
  - Django [required: >=1.11, installed: 1.11.23]
    - pytz [required: Any, installed: 2019.3]
Faker==0.8.6
  - python-dateutil [required: >=2.4, installed: 2.6.0]
    - six [required: >=1.5, installed: 1.13.0]
  - six [required: Any, installed: 1.13.0]
  - text-unidecode [required: Any, installed: 1.3]
gevent==1.2.1
  - greenlet [required: >=0.4.10, installed: 0.4.15]
github3.py==0.9.6
  - requests [required: >=2.0, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
  - uritemplate.py [required: >=0.2.0, installed: 3.0.2]
    - uritemplate [required: >=2.0, installed: 3.0.0]
GitPython==1.0.1
  - gitdb [required: >=0.6.4, installed: 0.6.4]
    - smmap [required: >=0.8.5, installed: 0.9.0]
gunicorn==19.7.1
invoke==0.15.0
lxml==4.2.5
pdbpp==0.9.1
  - fancycompleter [required: >=0.2, installed: 0.8]
  - pygments [required: Any, installed: 2.5.2]
  - wmctrl [required: Any, installed: 0.3]
pipdeptree==0.13.2
  - pip [required: >=6.0.0, installed: 18.1]
psycopg2==2.7.3.2
pytest-cov==2.5.1
  - coverage [required: >=3.7.1, installed: 4.5.1]
  - pytest [required: >=2.6.0, installed: 3.7.4]
    - atomicwrites [required: >=1.0, installed: 1.3.0]
    - attrs [required: >=17.4.0, installed: 19.3.0]
    - more-itertools [required: >=4.0.0, installed: 7.2.0]
    - pluggy [required: >=0.7, installed: 0.13.1]
      - importlib-metadata [required: >=0.12, installed: 0.23]
        - zipp [required: >=0.5, installed: 0.6.0]
          - more-itertools [required: Any, installed: 7.2.0]
    - py [required: >=1.5.0, installed: 1.8.0]
    - setuptools [required: Any, installed: 40.6.2]
    - six [required: >=1.10.0, installed: 1.13.0]
pytest-django==3.4.2
  - pytest [required: >=3.6, installed: 3.7.4]
    - atomicwrites [required: >=1.0, installed: 1.3.0]
    - attrs [required: >=17.4.0, installed: 19.3.0]
    - more-itertools [required: >=4.0.0, installed: 7.2.0]
    - pluggy [required: >=0.7, installed: 0.13.1]
      - importlib-metadata [required: >=0.12, installed: 0.23]
        - zipp [required: >=0.5, installed: 0.6.0]
          - more-itertools [required: Any, installed: 7.2.0]
    - py [required: >=1.5.0, installed: 1.8.0]
    - setuptools [required: Any, installed: 40.6.2]
    - six [required: >=1.10.0, installed: 1.13.0]
requests-mock==1.3.0
  - requests [required: >=1.1, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
  - six [required: Any, installed: 1.13.0]
slacker==0.8.6
  - requests [required: >=2.2.1, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
unicode-slugify==0.1.3
  - six [required: Any, installed: 1.13.0]
  - unidecode [required: Any, installed: 1.1.1]
wagtail==2.2.1
  - beautifulsoup4 [required: >=4.5.1,<4.6.1, installed: 4.5.1]
  - Django [required: >=1.11,<2.1, installed: 1.11.23]
    - pytz [required: Any, installed: 2019.3]
  - django-modelcluster [required: >=4.0,<5.0, installed: 4.4]
    - pytz [required: >=2015.2, installed: 2019.3]
  - django-taggit [required: >=0.22.2,<1.0, installed: 0.24.0]
    - Django [required: >=1.11, installed: 1.11.23]
      - pytz [required: Any, installed: 2019.3]
  - django-treebeard [required: >=4.2.0,<5.0, installed: 4.3]
    - Django [required: >=1.8, installed: 1.11.23]
      - pytz [required: Any, installed: 2019.3]
  - djangorestframework [required: >=3.7.4,<4.0, installed: 3.10.3]
  - draftjs-exporter [required: >=2.0,<3.0, installed: 2.1.7]
  - html5lib [required: >=0.999,<2, installed: 1.0.1]
    - six [required: >=1.9, installed: 1.13.0]
    - webencodings [required: Any, installed: 0.5.1]
  - Pillow [required: >=4.0.0,<6.0, installed: 5.4.1]
  - pytz [required: >=2016.6, installed: 2019.3]
  - requests [required: >=2.11.1,<3.0, installed: 2.21.0]
    - certifi [required: >=2017.4.17, installed: 2019.11.28]
    - chardet [required: >=3.0.2,<3.1.0, installed: 3.0.4]
    - idna [required: >=2.5,<2.9, installed: 2.8]
    - urllib3 [required: >=1.21.1,<1.25, installed: 1.24.3]
  - six [required: >=1.11,<2.0, installed: 1.13.0]
  - Unidecode [required: >=0.04.14,<2.0, installed: 1.1.1]
  - Willow [required: >=1.1,<1.2, installed: 1.1]
whitenoise==2.0.3

patphongs · 2019-12-20T21:02:57Z

In order to upgrade pillow to the remediated package version 6.2.0, we need to upgrade the wagtail package to at least v2.6 and Django to at least v2.0 or higher.

patphongs · 2019-12-30T15:54:59Z

After consulting with the team, this package does not cause a significant external security vulnerability since only approved and authenticated Wagtail users can upload resources to our system. We plan to patch this package when we upgrade our django and wagtail versions. See issue #3105.

pkfec · 2020-02-29T03:05:50Z

Pillow pkg is also updated to v6.2.2. Wagtail is updated to LTS v2.7 in PR #3563.
PR #3563 is merged. Closing this issue.

jason-upchurch added the Security: moderate Remediate within 60 days label Nov 29, 2019

jason-upchurch added this to the Sprint 11.1 milestone Nov 29, 2019

jason-upchurch added Epic and removed Epic labels Nov 29, 2019

lbeaufort mentioned this issue Dec 5, 2019

Check logs PI 10 innovation, week 1 fecgov/openFEC#4101

Closed

fecjjeng mentioned this issue Dec 11, 2019

Check logs PI 10 innovation, week 2 fecgov/openFEC#4102

Closed

jason-upchurch added the PI board label Dec 16, 2019

This was referenced Dec 20, 2019

Check logs PI 10 innovation, week 3 fecgov/openFEC#4103

Closed

[SNYK] - Weak Password Recovery Mechanism #3422

Closed

jason-upchurch assigned patphongs Dec 20, 2019

patphongs mentioned this issue Dec 26, 2019

Check logs 11.1 week 1 fecgov/openFEC#4119

Closed

1 task

patphongs removed the Security: moderate Remediate within 60 days label Dec 30, 2019

patphongs changed the title ~~[Snyk: Medium] unlimited allocation of resources [Due: 01/13/2020]~~ [Snyk] unlimited allocation of resources Dec 30, 2019

patphongs removed their assignment Dec 30, 2019

patphongs modified the milestones: Sprint 11.1, Sprint 11.5, Sprint 11.6 Dec 30, 2019

pkfec mentioned this issue Jan 2, 2020

Check logs 11.1 week 2 fecgov/openFEC#4120

Closed

2 tasks

fec-jli mentioned this issue Jan 8, 2020

Check logs Sprint 11.2 week 1 fecgov/openFEC#4133

Closed

1 task

jason-upchurch mentioned this issue Jan 15, 2020

Check logs Sprint 11.2 week 2 fecgov/openFEC#4134

Closed

2 tasks

hcaofec mentioned this issue Jan 22, 2020

Check logs Sprint 11.3 week 1 fecgov/openFEC#4147

Closed

1 task

pkfec mentioned this issue Feb 10, 2020

[DO NOT MERGE] Upgrade wagtail v2.8 and django V3.0.3 #3536

Closed

patphongs mentioned this issue Feb 13, 2020

[Snyk: Medium] Allocation of Resources without limits (Due: 3/15/2020) #3467

Closed

pkfec mentioned this issue Feb 20, 2020

[Merge after testing ticket] Update wagtail to v2.7 and django to v2.2.10 pkgs #3563

Merged

pkfec mentioned this issue Feb 27, 2020

[Med] Snyk: Denial of Service (DoS) Due (03/08/2020) #3454

Closed

pkfec closed this as completed Feb 29, 2020

patphongs mentioned this issue Feb 29, 2024

Epic: Stability and reliability fecgov/fec-epics#137

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] unlimited allocation of resources #3396

[Snyk] unlimited allocation of resources #3396

jason-upchurch commented Nov 29, 2019 •

edited by lbeaufort

jason-upchurch commented Nov 29, 2019

patphongs commented Dec 20, 2019

patphongs commented Dec 30, 2019

pkfec commented Feb 29, 2020

[Snyk] unlimited allocation of resources #3396

[Snyk] unlimited allocation of resources #3396

Comments

jason-upchurch commented Nov 29, 2019 • edited by lbeaufort

Summary

Overview

Remediation

Completion Criteria

jason-upchurch commented Nov 29, 2019

patphongs commented Dec 20, 2019

patphongs commented Dec 30, 2019

pkfec commented Feb 29, 2020

jason-upchurch commented Nov 29, 2019 •

edited by lbeaufort