From 6c259e8f7fafd6f43b5fe4f20fee5e7f12345aff Mon Sep 17 00:00:00 2001 From: "github.actions" Date: Mon, 13 Jan 2025 08:06:27 +0000 Subject: [PATCH] Latest data: Mon Jan 13 08:06:27 UTC 2025 --- audits/dolphie-requirements.audit.json | 142 ------------------ requirements/bandit-requirements.txt | 2 +- requirements/dolphie-requirements.txt | 16 +- .../jenkins-job-builder-requirements.txt | 4 +- requirements/poetry-requirements.txt | 8 +- requirements/schemathesis-requirements.txt | 6 +- requirements/urh-requirements.txt | 5 +- requirements/yt-dlp-requirements.txt | 2 +- 8 files changed, 22 insertions(+), 163 deletions(-) delete mode 100644 audits/dolphie-requirements.audit.json diff --git a/audits/dolphie-requirements.audit.json b/audits/dolphie-requirements.audit.json deleted file mode 100644 index 4a57d3ce..00000000 --- a/audits/dolphie-requirements.audit.json +++ /dev/null @@ -1,142 +0,0 @@ -[ - { - "package": { - "name": "sqlparse", - "version": "0.4.4", - "ecosystem": "PyPI" - }, - "dependency_groups": [ - "dolphie-requirements" - ], - "vulnerabilities": [ - { - "modified": "2024-05-01T11:15:56Z", - "published": "2024-04-15T20:21:25Z", - "schema_version": "1.6.0", - "id": "GHSA-2m57-hf25-phgg", - "aliases": [ - "CVE-2024-4340" - ], - "related": [ - "CGA-p7rq-qffc-ch9v", - "CGA-v3hx-x533-rpgf" - ], - "summary": "sqlparse parsing heavily nested list leads to Denial of Service", - "details": "### Summary\nPassing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.\n\n### Details + PoC\nRunning the following code will raise Maximum recursion limit exceeded exception:\n```py\nimport sqlparse\nsqlparse.parse('[' * 10000 + ']' * 10000)\n```\nWe expect a traceback of RecursionError:\n```py\nTraceback (most recent call last):\n File \"trigger_sqlparse_nested_list.py\", line 3, in \n sqlparse.parse('[' * 10000 + ']' * 10000)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py\", line 30, in parse\n return tuple(parsestream(sql, encoding))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py\", line 36, in run\n stmt = grouping.group(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 428, in group\n func(stmt)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 53, in group_brackets\n _group_matching(tlist, sql.SquareBrackets)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/grouping.py\", line 48, in _group_matching\n tlist.group_tokens(cls, open_idx, close_idx)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 328, in group_tokens\n grp = grp_cls(subtokens)\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 161, in __init__\n super().__init__(None, str(self))\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in __str__\n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 165, in \n return ''.join(token.value for token in self.flatten())\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n File \"/home/uriya/.local/lib/python3.10/site-packages/sqlparse/sql.py\", line 214, in flatten\n yield from token.flatten()\n [Previous line repeated 983 more times]\nRecursionError: maximum recursion depth exceeded\n```\n\n### Fix suggestion\nThe [flatten()](https://github.com/andialbrecht/sqlparse/blob/master/sqlparse/sql.py#L207) function of TokenList class should limit the recursion to a maximal depth:\n```py\nfrom sqlparse.exceptions import SQLParseError\n\nMAX_DEPTH = 100\n\n def flatten(self, depth=1):\n \"\"\"Generator yielding ungrouped tokens.\n\n This method is recursively called for all child tokens.\n \"\"\"\n if depth >= MAX_DEPTH:\n raise SQLParseError('Maximal depth reached')\n for token in self.tokens:\n if token.is_group:\n yield from token.flatten(depth + 1)\n else:\n yield token\n```\n\n### Impact\nDenial of Service (the impact depends on the use).\nAnyone parsing a user input with sqlparse.parse() is affected.\n", - "affected": [ - { - "package": { - "ecosystem": "PyPI", - "name": "sqlparse", - "purl": "pkg:pypi/sqlparse" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - }, - { - "fixed": "0.5.0" - } - ] - } - ], - "versions": [ - "0.1.0", - "0.1.1", - "0.1.10", - "0.1.11", - "0.1.12", - "0.1.13", - "0.1.14", - "0.1.15", - "0.1.16", - "0.1.17", - "0.1.18", - "0.1.19", - "0.1.2", - "0.1.3", - "0.1.4", - "0.1.5", - "0.1.6", - "0.1.7", - "0.1.8", - "0.1.9", - "0.2.0", - "0.2.1", - "0.2.2", - "0.2.3", - "0.2.4", - "0.3.0", - "0.3.1", - "0.4.0", - "0.4.1", - "0.4.2", - "0.4.3", - "0.4.4" - ], - "database_specific": { - "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2m57-hf25-phgg/GHSA-2m57-hf25-phgg.json" - }, - "ecosystem_specific": { - "affected_functions": [ - "sqlparse.parse" - ] - } - } - ], - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg" - }, - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4340" - }, - { - "type": "WEB", - "url": "https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03" - }, - { - "type": "PACKAGE", - "url": "https://github.com/andialbrecht/sqlparse" - }, - { - "type": "WEB", - "url": "https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-674" - ], - "github_reviewed": true, - "github_reviewed_at": "2024-04-15T20:21:25Z", - "nvd_published_at": null, - "severity": "HIGH" - } - } - ], - "groups": [ - { - "ids": [ - "GHSA-2m57-hf25-phgg" - ], - "aliases": [ - "CVE-2024-4340", - "GHSA-2m57-hf25-phgg" - ], - "max_severity": "7.5" - } - ] - } -] \ No newline at end of file diff --git a/requirements/bandit-requirements.txt b/requirements/bandit-requirements.txt index ccbd811c..577104dd 100644 --- a/requirements/bandit-requirements.txt +++ b/requirements/bandit-requirements.txt @@ -1,7 +1,7 @@ markdown-it-py==3.0.0 mdurl==0.1.2 pbr==6.1.0 -pygments==2.18.0 +pygments==2.19.1 pyyaml==6.0.2 rich==13.9.4 stevedore==5.4.0 diff --git a/requirements/dolphie-requirements.txt b/requirements/dolphie-requirements.txt index 90ed6887..6bf8ebfa 100644 --- a/requirements/dolphie-requirements.txt +++ b/requirements/dolphie-requirements.txt @@ -1,27 +1,27 @@ -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 cython==3.0.11 idna==3.10 linkify-it-py==2.0.3 -loguru==0.7.2 +loguru==0.7.3 markdown-it-py==3.0.0 mdit-py-plugins==0.4.2 mdurl==0.1.2 myloginpath==0.0.4 -orjson==3.10.12 +orjson==3.10.14 packaging==24.2 platformdirs==4.3.6 plotext==5.3.2 -psutil==6.1.0 -pygments==2.18.0 +psutil==6.1.1 +pygments==2.19.1 pymysql==1.1.1 requests==2.32.3 rich==13.9.4 setuptools==75.5.0 -sqlparse==0.4.4 -textual==0.88.1 +sqlparse==0.5.3 +textual==0.89.1 textual-autocomplete==3.0.0a13 tree-sitter==0.23.2 typing-extensions==4.12.2 uc-micro-py==1.0.3 -urllib3==2.2.3 +urllib3==2.3.0 zstandard==0.23.0 diff --git a/requirements/jenkins-job-builder-requirements.txt b/requirements/jenkins-job-builder-requirements.txt index 022cb685..b4808066 100644 --- a/requirements/jenkins-job-builder-requirements.txt +++ b/requirements/jenkins-job-builder-requirements.txt @@ -1,4 +1,4 @@ -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 fasteners==0.19 idna==3.10 jinja2==3.1.5 @@ -9,7 +9,7 @@ pbr==6.1.0 python-jenkins==1.8.2 pyyaml==6.0.2 requests==2.32.3 -setuptools==75.6.0 +setuptools==75.8.0 six==1.17.0 stevedore==5.4.0 urllib3==2.3.0 diff --git a/requirements/poetry-requirements.txt b/requirements/poetry-requirements.txt index 55fa458e..6f8a1bbd 100644 --- a/requirements/poetry-requirements.txt +++ b/requirements/poetry-requirements.txt @@ -1,5 +1,5 @@ build==1.2.2.post1 -cachecontrol==0.14.1 +cachecontrol==0.14.2 charset-normalizer==3.4.1 cleo==2.1.0 crashtest==0.4.1 @@ -19,7 +19,7 @@ msgpack==1.1.0 packaging==24.2 pkginfo==1.12.0 platformdirs==4.3.6 -poetry-core==2.0.0 +poetry-core==2.0.1 pyproject-hooks==1.2.0 rapidfuzz==3.11.0 requests==2.32.3 @@ -27,7 +27,7 @@ requests-toolbelt==1.0.0 secretstorage==3.3.3 shellingham==1.5.4 tomlkit==0.13.2 -trove-classifiers==2024.10.21.16 +trove-classifiers==2025.1.10.15 urllib3==2.3.0 virtualenv==20.28.1 -xattr==1.1.0 +xattr==1.1.4 diff --git a/requirements/schemathesis-requirements.txt b/requirements/schemathesis-requirements.txt index c0656643..5afa356b 100644 --- a/requirements/schemathesis-requirements.txt +++ b/requirements/schemathesis-requirements.txt @@ -1,4 +1,4 @@ -anyio==4.7.0 +anyio==4.8.0 arrow==1.3.0 attrs==24.3.0 backoff==2.2.1 @@ -11,7 +11,7 @@ h11==0.14.0 harfile==0.3.0 httpcore==1.0.7 httpx==0.28.1 -hypothesis==6.123.1 +hypothesis==6.123.15 hypothesis-graphql==0.11.1 hypothesis-jsonschema==0.23.1 idna==3.10 @@ -39,7 +39,7 @@ rpds-py==0.22.3 six==1.17.0 sniffio==1.3.1 sortedcontainers==2.4.0 -starlette==0.43.0 +starlette==0.45.2 starlette-testclient==0.4.1 tomli==2.2.1 tomli-w==1.1.0 diff --git a/requirements/urh-requirements.txt b/requirements/urh-requirements.txt index 902fce3f..8bbe42ff 100644 --- a/requirements/urh-requirements.txt +++ b/requirements/urh-requirements.txt @@ -1,3 +1,4 @@ cython==3.0.11 -psutil==6.1.0 -setuptools==75.6.0 +numpy==1.26.4 +psutil==6.1.1 +setuptools==75.8.0 diff --git a/requirements/yt-dlp-requirements.txt b/requirements/yt-dlp-requirements.txt index 8d78da55..387da2ca 100644 --- a/requirements/yt-dlp-requirements.txt +++ b/requirements/yt-dlp-requirements.txt @@ -1,5 +1,5 @@ brotli==1.1.0 -charset-normalizer==3.4.0 +charset-normalizer==3.4.1 idna==3.10 mutagen==1.47.0 pycryptodomex==3.21.0