5071 SNYK - Upgrade Pillow (and Wagtail)

[rfultz]

Summary

• Resolves [SNYK: Medium] Improper Input Validation (Due 04/15/2022) #5071

Upgrading Pillow to address a vulnerability, which required a Wagtail upgrade. Luckily, the Wagtail upgrade addressed only the Pillow vulnerability and only changed the required version

Required reviewers

• one front-end or UX
• should probably check on dev or feature so we can play with image uploads (Pillow being an image handler)

Impacted areas of the application

Pillow and Wagtail

Screenshots

None

Related PRs

None

How to test

Testing vulnerabilities is always tricky, like proving an absence. The vulnerability reads,

Affected versions of this package are vulnerable to Improper Input Validation. When the path to the temporary directory on Linux or macOS contained a space, this would break removal of the temporary image file after im.show() (and related actions), and potentially remove an unrelated file.

so to fully test it, we'd need to use a Linux or Mac, use a temporary directory with a space in its path, trigger Wagtail to use im.show(), and then check to make sure no unrelated files were removed?

For this review, it seems like the most we can do is make sure nothing major is broken, like making sure image uploads work (outside of localhost?) as expected?

• pull the branch
• ./manage.py runserver
• make sure things are working as expected
• push to dev or feature and make sure image uploads work there? I'm open to ideas

[johnnyporkchops]

Pushed this branch to feature space and tested image uploads successfully.

• Make sure we rm task for feature deploy before merging

[patphongs]

I reverted and squashed the the temp push to feature commit. I also tested on feature and all looks good, thanks @rfultz

[codecov-commenter]

Codecov Report

Merging #5138 (80f65dc) into develop (fc95ab1) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #5138      +/-   ##
===========================================
- Coverage    74.95%   74.93%   -0.02%     
===========================================
  Files          125      125              
  Lines         8120     8120              
  Branches       648      648              
===========================================
- Hits          6086     6085       -1     
- Misses        2034     2035       +1     

Impacted Files	Coverage Δ
fec/fec/static/js/modules/calendar.js	92.08% <0.00%> (-0.72%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fc95ab1...80f65dc. Read the comment docs.