Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update pytest to version 7.2.0 (which removes their dependency on py) #4880

Merged
merged 2 commits into from
Oct 16, 2023

Conversation

pablospe
Copy link
Contributor

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See pytest-dev/py#287 (comment) for additional context.

Description

Suggested changelog entry:

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See pytest-dev/py#287 (comment) for additional context.
@rwgk
Copy link
Collaborator

rwgk commented Oct 11, 2023

We have 9 failures in environments where pytest 7.2.0 does not seem to be available (looks like Python 3.6 & a couple specific platforms).

Could you please add conditions so that we keep using 7.0.0 on those platforms?

But a general question:

tests/requirements.txt is probably used only in the GHA here and by a few developers for local testing. I'm thinking subversion will rarely ever be in the mix. Therefore it seems like the reduction in risk potential is near zero. Is that a fair assessment?

@Skylion007 Skylion007 self-requested a review October 12, 2023 23:38
@pablospe
Copy link
Contributor Author

It appears that the issue may be related to the absence of a generated package for Python 3.6 on PyPI. I've added a condition to address this; let's see if it resolves the issue in the CI tests. Thanks!

One question, until when there will be support for python 3.6?

@rwgk
Copy link
Collaborator

rwgk commented Oct 16, 2023

It appears that the issue may be related to the absence of a generated package for Python 3.6 on PyPI. I've added a condition to address this; let's see if it resolves the issue in the CI tests. Thanks!

It works, thanks!

One question, until when there will be support for python 3.6?

Yesterday! :-)

If someone wants to help out purging the 3.6 support that would be great.

@rwgk rwgk merged commit 0cbd92b into pybind:master Oct 16, 2023
81 of 82 checks passed
@github-actions github-actions bot added the needs changelog Possibly needs a changelog entry label Oct 16, 2023
@rwgk rwgk removed the needs changelog Possibly needs a changelog entry label Oct 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants