[Med] Snyk: Race Condition (due 5/20/19)

[rjayasekera]

Vulnerable module: webargs
Introduced through: webargs@0.18.0 and flask-apispec@0.7.0

Detailed paths:
Introduced through: project@0.0.0 › webargs@0.18.0
Introduced through: project@0.0.0 › flask-apispec@0.7.0 › webargs@0.18.0

Remediation:
Upgrade webargs to version 5.1.3 or higher.

[jason-upchurch]

Race Condition

Vulnerable module: webargs

• Introduced through: webargs@0.18.0 and flask-apispec@0.7.0

Detailed paths

• Introduced through: project@0.0.0 › webargs@0.18.0
• Introduced through: project@0.0.0 › flask-apispec@0.7.0 › webargs@0.18.0

Overview

webargs is a python library for parsing and validating HTTP request objects, with built-in support for popular web frameworks, including Flask, Django, Bottle, Tornado, Pyramid, webapp2, Falcon, and aiohttp.

Affected versions of this package are vulnerable to Race Condition. Json parsing uses a short-lived cache to store the parsed Json body. This cache is not thread-safe, meaning that incorrect Json payloads could have been parsed for concurrent requests.

Remediation

Upgrade webargs to version 5.1.3 or higher.

[jason-upchurch]

added webargs==5.3.1 to requirements.txt

[jason-upchurch]

Require webargs@5.1.3, pytest breaks at webargs@3.0.0

[edit: correct versions]

[jason-upchurch]

webargs changelog: https://webargs.readthedocs.io/en/latest/changelog.html

[jason-upchurch]

2.x

@parser.error_handler
def handle_error(error):
raise CustomError(error.messages)

3.x

@parser.error_handler
def handle_error(error, req):
raise CustomError(error.messages)

[jason-upchurch]

5.0.0

Backwards-incompatible: webargs.ValidationError is removed. Use marshmallow.ValidationError instead.

[jason-upchurch]

updated args.py to reflect updated webargs@5.3.1 interface specification an update requirements.txt for dependencies. Pushed [WIP]