Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SNYK MEDIUM]setuptools Regular Expression Denial of Service (due by 10/27/2023) #5523

Closed
2 tasks
pkfec opened this issue Aug 2, 2023 · 2 comments
Closed
2 tasks

[SNYK MEDIUM]setuptools Regular Expression Denial of Service (due by 10/27/2023) #5523

pkfec opened this issue Aug 2, 2023 · 2 comments
Assignees
@tmpayton
Labels
Security: moderate Remediate within 60 days
Milestone
Sprint 22 innovation

Comments

@pkfec
Copy link
Contributor

pkfec commented Aug 2, 2023

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTML package or custom PackageIndex page

https://app.snyk.io/org/fecgov/project/7382e6c8-8f69-4afb-b910-ff61101c54fb#issue-SNYK-PYTHON-SETUPTOOLS-3180412

Introduced through

locust@2.14.2 and pre-commit@2.21.0

Fixed in

setuptools@65.5.1

Completion criteria

  • Pin setuptools@65.5.1
  • SNYK TEST no longer flags ReDoS vulnerability
@pkfec pkfec mentioned this issue Aug 2, 2023
Closed
2 tasks
@cnlucas cnlucas added the Security: moderate Remediate within 60 days label Aug 10, 2023
@cnlucas cnlucas mentioned this issue Aug 10, 2023
Closed
3 tasks
@tmpayton tmpayton mentioned this issue Aug 16, 2023
Closed
2 tasks
@tmpayton tmpayton mentioned this issue Aug 23, 2023
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Aug 30, 2023
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Sep 6, 2023
Closed
3 tasks
@fec-jli fec-jli mentioned this issue Sep 13, 2023
Closed
2 tasks
@JonellaCulmer JonellaCulmer added this to the Sprint 22 innovation milestone Sep 20, 2023
@tmpayton tmpayton self-assigned this Sep 20, 2023
@fec-jli fec-jli mentioned this issue Sep 20, 2023
Closed
3 tasks
@tmpayton tmpayton mentioned this issue Sep 22, 2023
Merged
@tmpayton
Copy link
Contributor

tmpayton commented Sep 27, 2023
edited

I'm re-opening this ticket because we are still getting a snyk warning

@tmpayton tmpayton reopened this Sep 27, 2023
@tmpayton tmpayton mentioned this issue Sep 27, 2023
Closed
2 tasks
@tmpayton
Copy link
Contributor

tmpayton commented Sep 28, 2023
edited

We’ve already upgraded the package listed
setuptools@65.5.1
and when pulling develop and checking locally it shows no vulnerabilities in requirements-dev.txt

steps for testing:

  1. git checkout develop
  2. pyenv virtualenv (new virtual environment)
  3. pyenv activate (new virtual environment)
  4. pip install -r requirements.txt && pip install -r requirements-dev.txt
  5. snyk test --file=requirements-dev.txt --package-manager=pip (see that there are no errors)
    image
  6. pip show setuptools(should show version 68.0.0)

@tmpayton tmpayton closed this as completed Oct 2, 2023
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: moderate Remediate within 60 days
Projects
None yet
Milestone
Sprint 22 innovation
Development

No branches or pull requests
4 participants
@pkfec @JonellaCulmer @cnlucas @tmpayton