[Snyk] Security upgrade PyJWT from 1.4.2 to 1.5.1 #729
Conversation
The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PYJWT-40693
|
Seems like Flask-JWT is abandoned (no commits since 2015) and we need to upgrade to https://github.com/vimalloc/flask-jwt-extended instead which is maintained. https://travis-ci.com/github/guardicore/monkey/builds/175862097#L474 |
monkey/monkey_island/cc/app.py
Outdated
| app.config['JWT_EXPIRATION_DELTA'] = env_singleton.env.get_auth_expiration_time() | ||
|
|
||
| # See https://flask-jwt-extended.readthedocs.io/en/stable/options | ||
| app.config['JWT_TOKEN_LOCATION'] = ['headers'] |
There was a problem hiding this comment.
Already a default, why specify?
| app.config['JWT_TOKEN_LOCATION'] = ['headers'] | ||
| app.config['JWT_ACCESS_TOKEN_EXPIRES'] = env_singleton.env.get_auth_expiration_time() | ||
| # Invalidate the signature of JWTs between server resets. | ||
| app.config['JWT_SECRET_KEY'] = str(uuid.uuid4()) |
There was a problem hiding this comment.
It's stored in mongodb between resets?
There was a problem hiding this comment.
Nope - I meant Python process restarted, fixed the doc.
| # If the user and password have been previously registered | ||
| if self._authenticate(username, secret): | ||
| access_token = flask_jwt_extended.create_access_token(identity=user_store.UserStore.username_table[username].id) | ||
| logger.debug(f"Created access token for user {username}: {access_token}") |
There was a problem hiding this comment.
Do we really want to log access token?
There was a problem hiding this comment.
Changed to only log first 4 chars (useful for debugging as I've discovered)
|
|
||
| return decorator | ||
| # See https://flask-jwt-extended.readthedocs.io/en/stable/custom_decorators/ | ||
| def jwt_required(fn): |
There was a problem hiding this comment.
This doesn't fit as a replacement? https://flask-jwt-extended.readthedocs.io/en/stable/api/#flask_jwt_extended.jwt_required
There was a problem hiding this comment.
It doesn't since it raises 500 instead of a more accurate 401 on JWT errors (like invalidation due to key change).
Codecov Report
@@ Coverage Diff @@
## develop #729 +/- ##
===========================================
- Coverage 59.86% 59.85% -0.02%
===========================================
Files 147 147
Lines 4784 4795 +11
===========================================
+ Hits 2864 2870 +6
- Misses 1920 1925 +5
Continue to review full report at Codecov.
|
Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
By pinning:
SNYK-PYTHON-PYJWT-40693
PyJWT:1.4.2 -> 1.5.1Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the effected dependencies could be upgraded.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic