Fix #460 - missing parse_rule method #463
Conversation
This method was removed from the public API in werkzeug 2.2.0. Copying it into this project because the method is self-contained.
plowman
force-pushed
the
bugfix/missing-parse-rule
branch
from
bdcb842
to
82f7340
Compare
|
Fixing the dparse vuln may be more difficult, as that project was notified of a security vuln on 31 Aug 2021, with no visible follow-up action. |
|
@ptmcg What CVE is it referring to? I'm not aware of any valid CVEs for Flask 2.1. I've given up on the CVE process because it's completely out of my control what random people report to it, and I haven't had success removing invalid ones in the past. |
|
@davidism The CVE was in dparse (a dependency of flask-rest), not flask-rest itself, and the maintainers of that package have posted that there will be a fix in the next few days. But I have no idea how one will address vulns in setuptools (a more recent version exists, 63.3.0, so maybe it is fixed with an update) or pip (latest version is 22.2.1, so... ?). |
|
You and the OP refer to a Flask vulnerability here. And I'd be very surprised if setuptools or pip are relevant. That pasted report isn't really helpful, it doesn't list what any of the vulnerabilities are, but the pip one says "improper input validation" which I struggle to see as an issue affecting the use of this library. |
I was referring to the I know nothing beyond that, except that whatever it is, I suggested that they should re-run the check in the face of an updated Flask version. If |
|
@ptmcg wrote:
Okay, I ran again and it's still failing. I figured out how to print out all of the My honest takeaway here is that the ossaudit check should be removed from the project. The one vulnerability that I can actually locate, CVE-2018-20225, doesn't even appear to be a real vulnerability. So while it's good to periodically check for security vulnerabilities, |
|
@plowman can you add them to the list here? like: https://github.com/python-restx/flask-restx/blob/master/setup.cfg#L15 |
|
Dear Ben, we are using The interim workarounds provided in this discussion and at #460 were really helpful in the meanwhile. Thanks, @j4asper, thanks all. With kind regards, |
|
Another issue is that ossaudit is not maintained. And the setup.cfg file passed to option I propose to edit the ossaudit test to:
|
|
Quick update on this PR, I'm still unable to merge until I get the go-ahead from someone with write access: Sorry to ping you @j5awry but would appreciate any tips on which maintainer I can talk to in order to get this merged. To catch you up, here are the current repro steps for this bug: pip install flask-restx
python -c "import flask_restx"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/homebrew/lib/python3.9/site-packages/flask_restx/__init__.py", line 5, in <module>
from .api import Api # noqa
File "/opt/homebrew/lib/python3.9/site-packages/flask_restx/api.py", line 50, in <module>
from .swagger import Swagger
File "/opt/homebrew/lib/python3.9/site-packages/flask_restx/swagger.py", line 18, in <module>
from werkzeug.routing import parse_rule
ImportError: cannot import name 'parse_rule' from 'werkzeug.routing' (/opt/homebrew/lib/python3.9/site-packages/werkzeug/routing/__init__.py) |
|
Hi folks, I am also waiting for a patch: It seems like flask_restx.swagger.py makes issues as werkzeug.routing.rules.py has changed. It doesn't support parse_rule function anymore. Instead there is a new private _parse_rule function inside the Rule Class. |
What's this all about?
This is an attempt to fix issue #460, where werkzeug used to expose a function
werkzeug.routing.parse_rulebut made it private as of werkzeug==2.2.0.The method was extracted from this change which seems to be when it was fully removed from werkzeug.
Copying it into this project because the method is self-contained. One alternative would be to pin the werkzeug version, which isn't a terrible idea, but also means this project would miss out on future werkzeug improvements. 🤷 Neither option is great but copy-paste is simple so that's what I did.
What's next before this can merge?
ossauditcheck is failing, which prevents the other checks from running. It is not clear to me how to fix the failing tests. For example, it seems to be complaining that there is vulnerability in the latest version of flask. Which is good to know but unfixable: