diff --git a/audits/athenacli-requirements.audit.json b/audits/athenacli-requirements.audit.json index 3a40614a..2a7eba69 100644 --- a/audits/athenacli-requirements.audit.json +++ b/audits/athenacli-requirements.audit.json @@ -10,7 +10,7 @@ ], "vulnerabilities": [ { - "modified": "2024-03-28T13:31:02Z", + "modified": "2024-10-24T22:27:47Z", "published": "2023-07-19T15:30:26Z", "schema_version": "1.6.0", "id": "GHSA-mrwq-x4v8-fh7p", @@ -100,13 +100,6 @@ ], "database_specific": { "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-mrwq-x4v8-fh7p/GHSA-mrwq-x4v8-fh7p.json" - }, - "ecosystem_specific": { - "affected_functions": [ - "pygments.lexers.templates.SqlJinjaLexer.analyse_text", - "pygments.lexers.smithy.SmithyLexer", - "pygments.lexers.configs.PropertiesLexer" - ] } } ], @@ -114,6 +107,10 @@ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" } ], "references": [ @@ -293,7 +290,7 @@ "GHSA-mrwq-x4v8-fh7p", "PYSEC-2023-117" ], - "max_severity": "5.5" + "max_severity": "6.8" } ] }, diff --git a/audits/dolphie-requirements.audit.json b/audits/dolphie-requirements.audit.json new file mode 100644 index 00000000..4a57d3ce --- /dev/null +++ b/audits/dolphie-requirements.audit.json @@ -0,0 +1,142 @@ +[ + { + "package": { + "name": "sqlparse", + "version": "0.4.4", + "ecosystem": "PyPI" + }, + "dependency_groups": [ + "dolphie-requirements" + ], + "vulnerabilities": [ + { + "modified": "2024-05-01T11:15:56Z", + "published": "2024-04-15T20:21:25Z", + "schema_version": "1.6.0", + "id": "GHSA-2m57-hf25-phgg", + "aliases": [ + "CVE-2024-4340" + ], + "related": [ + "CGA-p7rq-qffc-ch9v", + "CGA-v3hx-x533-rpgf" + ], + "summary": "sqlparse parsing heavily nested list leads to Denial of Service", + "details": "### Summary\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\n\n### Details + PoC\nRunning the following code will raise Maximum recursion limit exceeded exception:\n```py\nimport sqlparse\nsqlparse.parse('[' * 10000 + ']' * 10000)\n```\nWe expect a traceback of RecursionError:\n```py\nTraceback (most recent call last):\n File \"trigger_sqlparse_nested_list.py\", line 3, in \n sqlparse.parse('[' * 10000 + ']' * 10000)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py\", line 30, in parse\n return tuple(parsestream(sql, encoding))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py\", line 36, in run\n stmt = grouping.group(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 428, in group\n func(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 53, in group_brackets\n _group_matching(tlist, sql.SquareBrackets)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 48, in _group_matching\n tlist.group_tokens(cls, open_idx, close_idx)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 328, in group_tokens\n grp = grp_cls(subtokens)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 161, in __init__\n super().__init__(None, str(self))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in __str__\n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in \n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n [Previous line repeated 983 more times]\nRecursionError: maximum recursion depth exceeded\n```\n\n### Fix suggestion\nThe [flatten()](https://github.com/andialbrecht/sqlparse/blob/master/sqlparse/sql.py#L207) function of TokenList class should limit the recursion to a maximal depth:\n```py\nfrom sqlparse.exceptions import SQLParseError\n\nMAX_DEPTH = 100\n\n def flatten(self, depth=1):\n \"\"\"Generator yielding ungrouped tokens.\n\n This method is recursively called for all child tokens.\n \"\"\"\n if depth >= MAX_DEPTH:\n raise SQLParseError('Maximal depth reached')\n for token in self.tokens:\n if token.is_group:\n yield from token.flatten(depth + 1)\n else:\n yield token\n```\n\n### Impact\nDenial of Service (the impact depends on the use).\nAnyone parsing a user input with sqlparse.parse() is affected.\n", + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "sqlparse", + "purl": "pkg:pypi/sqlparse" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.5.0" + } + ] + } + ], + "versions": [ + "0.1.0", + "0.1.1", + "0.1.10", + "0.1.11", + "0.1.12", + "0.1.13", + "0.1.14", + "0.1.15", + "0.1.16", + "0.1.17", + "0.1.18", + "0.1.19", + "0.1.2", + "0.1.3", + "0.1.4", + "0.1.5", + "0.1.6", + "0.1.7", + "0.1.8", + "0.1.9", + "0.2.0", + "0.2.1", + "0.2.2", + "0.2.3", + "0.2.4", + "0.3.0", + "0.3.1", + "0.4.0", + "0.4.1", + "0.4.2", + "0.4.3", + "0.4.4" + ], + "database_specific": { + "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2m57-hf25-phgg/GHSA-2m57-hf25-phgg.json" + }, + "ecosystem_specific": { + "affected_functions": [ + "sqlparse.parse" + ] + } + } + ], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg" + }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340" + }, + { + "type": "WEB", + "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03" + }, + { + "type": "PACKAGE", + "url": "https://github.com/andialbrecht/sqlparse" + }, + { + "type": "WEB", + "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-674" + ], + "github_reviewed": true, + "github_reviewed_at": "2024-04-15T20:21:25Z", + "nvd_published_at": null, + "severity": "HIGH" + } + } + ], + "groups": [ + { + "ids": [ + "GHSA-2m57-hf25-phgg" + ], + "aliases": [ + "CVE-2024-4340", + "GHSA-2m57-hf25-phgg" + ], + "max_severity": "7.5" + } + ] + } +] \ No newline at end of file diff --git a/requirements/aider-requirements.txt b/requirements/aider-requirements.txt index 5b5cf70a..5adeb57e 100644 --- a/requirements/aider-requirements.txt +++ b/requirements/aider-requirements.txt @@ -9,6 +9,7 @@ beautifulsoup4==4.12.3 charset-normalizer==3.3.2 click==8.1.7 configargparse==1.7 +cython==3.0.11 diff-match-patch==20230430 diskcache==5.6.3 distro==1.9.0 @@ -61,6 +62,7 @@ regex==2024.9.11 requests==2.32.3 rich==13.8.1 rpds-py==0.20.0 +setuptools==75.1.0 smmap==5.0.1 sniffio==1.3.1 sounddevice==0.5.0 diff --git a/requirements/dolphie-requirements.txt b/requirements/dolphie-requirements.txt index 86756241..050f685c 100644 --- a/requirements/dolphie-requirements.txt +++ b/requirements/dolphie-requirements.txt @@ -7,17 +7,17 @@ markdown-it-py==3.0.0 mdit-py-plugins==0.4.2 mdurl==0.1.2 myloginpath==0.0.4 -orjson==3.10.7 +orjson==3.10.10 packaging==24.1 platformdirs==4.3.6 plotext==5.3.2 pygments==2.18.0 pymysql==1.1.1 requests==2.32.3 -rich==13.9.2 -setuptools==75.1.0 -sqlparse==0.5.1 -textual==0.83.0 +rich==13.9.3 +setuptools==75.2.0 +sqlparse==0.4.4 +textual==0.84.0 textual-autocomplete==3.0.0a12 tree-sitter==0.23.1 typing-extensions==4.12.2 diff --git a/requirements/graph-tool-requirements.txt b/requirements/graph-tool-requirements.txt index ce28d65f..b6143dfb 100644 --- a/requirements/graph-tool-requirements.txt +++ b/requirements/graph-tool-requirements.txt @@ -1,11 +1,11 @@ -contourpy==1.2.1 +contourpy==1.3.0 cycler==0.12.1 -fonttools==4.53.1 -kiwisolver==1.4.5 -matplotlib==3.9.1.post1 +fonttools==4.54.1 +kiwisolver==1.4.7 +matplotlib==3.9.2 packaging==24.1 -pyparsing==3.1.2 +pyparsing==3.2.0 python-dateutil==2.9.0.post0 -setuptools==72.1.0 +setuptools==75.2.0 six==1.16.0 zstandard==0.23.0 diff --git a/requirements/parsedmarc-requirements.txt b/requirements/parsedmarc-requirements.txt index ee056d97..ce2e7f97 100644 --- a/requirements/parsedmarc-requirements.txt +++ b/requirements/parsedmarc-requirements.txt @@ -5,8 +5,8 @@ attrs==24.2.0 azure-core==1.31.0 azure-identity==1.19.0 azure-monitor-ingestion==1.0.4 -boto3==1.35.39 -botocore==1.35.39 +boto3==1.35.48 +botocore==1.35.48 cachetools==5.5.0 charset-normalizer==3.4.0 dateparser==1.2.0 @@ -15,7 +15,7 @@ elasticsearch==7.13.4 elasticsearch-dsl==7.4.0 events==any.whl expiringdict==1.2.2 -frozenlist==1.4.1 +frozenlist==1.5.0 geoip2==4.8.0 google-api-core==2.21.0 google-api-python-client==2.149.0 @@ -32,7 +32,7 @@ jmespath==1.0.1 kafka-python-ng==2.2.3 lxml==5.3.0 mail-parser==3.15.0 -mailsuite==1.9.17 +mailsuite==1.9.18 maxminddb==2.6.2 msal==1.31.0 msal-extensions==1.2.0 @@ -42,15 +42,15 @@ oauthlib==3.2.2 opensearch-py==2.7.1 portalocker==2.10.1 propcache==0.2.0 -proto-plus==1.24.0 -protobuf==5.28.2 +proto-plus==1.25.0 +protobuf==5.28.3 publicsuffix2==2.20191221 -publicsuffixlist==1.0.2.20241010 +publicsuffixlist==1.0.2.20241023 pyasn1==0.6.1 pyasn1-modules==0.4.1 pygelf==0.4.2 pyjwt==2.9.0 -pyparsing==3.1.4 +pyparsing==3.2.0 python-dateutil==2.9.0.post0 pytz==2024.2 regex==2024.9.11 @@ -58,7 +58,7 @@ requests==2.32.3 requests-oauthlib==2.0.0 rsa==4.9 s3transfer==0.10.3 -setuptools==75.1.0 +setuptools==75.2.0 simplejson==3.19.3 six==1.16.0 tqdm==4.66.5 @@ -66,5 +66,5 @@ typing-extensions==4.12.2 tzlocal==5.2 uritemplate==4.1.1 urllib3==1.26.20 -xmltodict==0.14.1 -yarl==1.15.1 +xmltodict==0.14.2 +yarl==1.16.0