From c5122655a792576b5f559b501205000a84576c1c Mon Sep 17 00:00:00 2001
From: nisharma <nisharma@redhat.com>
Date: Fri, 20 Jan 2023 19:55:34 +0530
Subject: [PATCH 1/2] Upgraded versions for dependent repo and included
 gunicorn as http server

- reverted redis version as dependency also needed to be chaged.

- Versions for flask updated to available

- Versions for gitpython updated to >=3.1.20

- Versions for marshmellow updated to >=3.14.1

- Versions for requests updated to >=2.27.1

- contextvars library added
---
 requirements.txt | 30 ++++++++++++++++--------------
 setup.py         | 23 +++++++++++------------
 2 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 23c01d9..86e09f1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,18 +1,20 @@
 flasgger==0.9.5
-Flask==1.1.2
+Flask>=2.0.3
 #git2pantheon~=0.1
-Werkzeug==1.0.1
-redis==3.5.3
-setuptools==54.2.0
+redis>=3.5.3
+setuptools==66.0.0
 flask-cors==3.0.10
-
-marshmallow==3.10.0
-Flask-Executor==0.9.4
+marshmallow>=3.14.1
+Flask-Executor==1.0.0
 giturlparse==0.10.0
-PyYAML==5.4.1
-edgegrid-python==1.0.10
-decorest==0.0.6
-requests
-requests-toolbelt==0.9.1
-gitpython==3.1.11
-git+https://github.com/redhataccess/pantheon-uploader.git
+PyYAML==6.0
+edgegrid-python==1.3.1
+decorest==0.1.0
+requests>=2.27.1
+requests-toolbelt==0.10.1
+gitpython>=3.1.20
+gunicorn==20.1.0
+jinja2==3.1.2
+typing-extensions>=4.4.0
+contextvars>=2.3
+git+https://github.com/redhataccess/pantheon-uploader.git
\ No newline at end of file
diff --git a/setup.py b/setup.py
index 2a9f504..88dc662 100644
--- a/setup.py
+++ b/setup.py
@@ -20,28 +20,27 @@
         'pyxdg>=0.26',
         'PyYAML>=5.3.1',
         'redis>=3.5.3',
-        'requests>=2.22.0',
         'requests-file>=1.4.3',
         'requests-ftp>=0.3.1',
         'simpleline>=1.6',
         'six>=1.14.0',
         'tinycss2>=1.0.2',
-        'Flask>=1.1.2',
+        'Flask>=2.0.3',
         'urllib3>=1.25.7',
         'webencodings>=0.5.1',
-        'Werkzeug>=1.0.1',
         'xcffib>=0.9.0',
-        'gitpython==3.1.11',
-        'flask-cors>=3.0.9',
+        'gitpython>=3.1.20',
+        'flask-cors>=3.0.10',
         'flasgger>=0.9.5',
-        'Flask-Executor>=0.9.4',
+        'Flask-Executor>=1.0.0',
         'giturlparse>=0.10.0',
-        'marshmallow>=3.9.1',
-        'gunicorn',
-        'edgegrid-python>=1.0.10',
-        'decorest>=0.0.6',
-        'requests',
-        'requests-toolbelt>=0.9.1',
+        'marshmallow>=3.14.1',
+        'gunicorn>=20.1.0',
+        'edgegrid-python>=1.3.1',
+        'decorest>=0.1.0',
+        'requests>=2.27.1',
+        'requests-toolbelt>=0.10.1',
+        'contextvars>=2.3',
         'pantheon-uploader@ git+https://github.com/redhataccess/pantheon-uploader.git@master#egg=pantheon-uploader-0.2'
     ],
     dependency_links=['https://github.com/redhataccess/pantheon-uploader/tarball/master#egg=pantheon-uploader'],

From ecda4cceb03295554de26fd5d3c041f50adebb2c Mon Sep 17 00:00:00 2001
From: nisharma <nisharma@redhat.com>
Date: Fri, 20 Jan 2023 20:35:32 +0530
Subject: [PATCH 2/2] - resolved another critical vulerability CVE-2022-24439
 Detail All versions of package gitpython are vulnerable to Remote Code
 Execution (RCE) due to improper user input validation, which makes it
 possible to inject a maliciously crafted remote URL into the clone command.
 Exploiting this vulnerability is possible because the library makes external
 calls to git without sufficient sanitization of input arguments.

Resolution ::
Upgrade GitPython to version 3.1.30 or higher.
https://nvd.nist.gov/vuln/detail/CVE-2022-24439
https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858
---
 requirements.txt | 14 +++++++-------
 setup.py         |  5 +++--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 86e09f1..d2393ba 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,20 +1,20 @@
 flasgger==0.9.5
-Flask>=2.0.3
+Flask>=2.2.2
 #git2pantheon~=0.1
-redis>=3.5.3
+redis>=4.4.2
 setuptools==66.0.0
-flask-cors==3.0.10
-marshmallow>=3.14.1
+Flask-Cors==3.0.10
+marshmallow>=3.19.1
 Flask-Executor==1.0.0
 giturlparse==0.10.0
 PyYAML==6.0
 edgegrid-python==1.3.1
 decorest==0.1.0
-requests>=2.27.1
+requests>=2.28.3
 requests-toolbelt==0.10.1
-gitpython>=3.1.20
+gitpython>=3.1.30
 gunicorn==20.1.0
 jinja2==3.1.2
 typing-extensions>=4.4.0
-contextvars>=2.3
+contextvars>=2.4
 git+https://github.com/redhataccess/pantheon-uploader.git
\ No newline at end of file
diff --git a/setup.py b/setup.py
index 88dc662..5da19d3 100644
--- a/setup.py
+++ b/setup.py
@@ -29,8 +29,8 @@
         'urllib3>=1.25.7',
         'webencodings>=0.5.1',
         'xcffib>=0.9.0',
-        'gitpython>=3.1.20',
-        'flask-cors>=3.0.10',
+        'gitpython>=3.1.30',
+        'Flask-Cors>=3.0.10',
         'flasgger>=0.9.5',
         'Flask-Executor>=1.0.0',
         'giturlparse>=0.10.0',
@@ -41,6 +41,7 @@
         'requests>=2.27.1',
         'requests-toolbelt>=0.10.1',
         'contextvars>=2.3',
+        'typing-extensions>=4.4.0',
         'pantheon-uploader@ git+https://github.com/redhataccess/pantheon-uploader.git@master#egg=pantheon-uploader-0.2'
     ],
     dependency_links=['https://github.com/redhataccess/pantheon-uploader/tarball/master#egg=pantheon-uploader'],