Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove flask-featureflags integration, bump flask to v0.12.4 #447

Merged
merged 4 commits into from
Aug 24, 2018
Merged

Remove flask-featureflags integration, bump flask to v0.12.4 #447

merged 4 commits into from
Aug 24, 2018

Conversation

risicle
Copy link
Contributor

@risicle risicle commented Aug 24, 2018

https://trello.com/c/ZH9trgjH/419-snyk-alert-for-flask-010x-vulnerability

This broadly does three things:

  • Removes any integration with flask-featureflags and drops it as a dependency. The changelog entry should reflect the various things that are no longer supported as a result of this.
  • Bumps the Flask dependency to v0.12.4 to, among other things, fix a minor security vulnerability with 0.10.x
  • Drops the CSRFError handling workaround required for flask 0.10.x's deficiency, instead registering the handler in a more obvious way.

Making an upgrade to this version will require bumping the app's Flask to 0.12.4, which itself can require some changes. Luckily I've already done this for all (?) the apps and PRs should be following for them. I'll probably only merge this once people are happy with them too.

lfdebrux
lfdebrux approved these changes Aug 24, 2018
View reviewed changes
Copy link
Contributor

@lfdebrux lfdebrux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice

katstevens
katstevens reviewed Aug 24, 2018
View reviewed changes
dmutils/errors.py Outdated
# This is the remnant of a workaround for a bug in Flask 0.10.1. In that case, CSRFErrors
# are caught under 400 BadRequest exceptions, so this handler can be registered to catch
# all 400s, but will immediately discards non-CSRFError instances. Can be removed once
# we're absolutely certain nothing is still using Flask 0.10.1.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can remove it now. If the app has pulled in this version of utils it will have Flask 0.12, and flask_init will only supply this function with recognisable CSRFError instances (as opposed to, say, BadRequest).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For clarity we could rename the e arg to csrf_error?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@lfdebrux lfdebrux mentioned this pull request Aug 24, 2018
Merged
This was referenced Aug 24, 2018
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@risicle risicle force-pushed the ris-flask-0-12 branch 2 times, most recently from 734d7e8 to 321abe2 Compare August 24, 2018 13:46
risicle added 2 commits August 24, 2018 14:46
@risicle
flask_init: restore normal registration of errors.csrf_handler as han…
9de8ec4 
…dler for CSRFError

we can do this because of the upgrade to flask 0.12 fixing the bug
we were working around here.
@risicle
Bump version to 43.0.0
321abe2
@risicle risicle merged commit c5950e6 into master Aug 24, 2018
@risicle risicle deleted the ris-flask-0-12 branch August 24, 2018 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katstevens katstevens katstevens left review comments

@lfdebrux lfdebrux lfdebrux approved these changes

@benvand benvand Awaiting requested review from benvand

@Wynndow Wynndow Awaiting requested review from Wynndow

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@risicle @lfdebrux @katstevens