From 38e7d3352c0966e609e298d8ac73222a00ed9ad0 Mon Sep 17 00:00:00 2001 From: blag Date: Fri, 27 Nov 2020 23:18:44 -0800 Subject: [PATCH 1/9] Update cryptography version to 3.2 --- fixed-requirements.txt | 2 +- requirements.txt | 2 +- st2client/requirements.txt | 2 +- st2common/requirements.txt | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 58d673c227..0326841b1a 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -4,7 +4,7 @@ amqp==2.5.2 apscheduler==3.6.3 # NOTE: 2.0 version breaks pymongo work with hosts dnspython>=1.16.0,<2.0.0 -cryptography==2.8 +cryptography==3.2 # Note: 0.20.0 removed select.poll() on which some of our code and libraries we # depend on rely eventlet==0.25.1 diff --git a/requirements.txt b/requirements.txt index dcaf68e6ae..d2a7cee282 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,7 +10,7 @@ amqp==2.5.2 apscheduler==3.6.3 argcomplete bcrypt==3.1.7 -cryptography==2.8 +cryptography==3.2 dnspython<2.0.0,>=1.16.0 eventlet==0.25.1 flex==6.14.0 diff --git a/st2client/requirements.txt b/st2client/requirements.txt index 1050fc7bb1..17c03201c8 100644 --- a/st2client/requirements.txt +++ b/st2client/requirements.txt @@ -6,7 +6,7 @@ # in-requirements.txt for that component and then run 'make requirements' to # update the component requirements.txt argcomplete -cryptography==2.8 +cryptography==3.2 jsonpath-rw==1.4.0 jsonschema==2.6.0 more-itertools==5.0.0 diff --git a/st2common/requirements.txt b/st2common/requirements.txt index 788af1fb7d..2291be8677 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -7,7 +7,7 @@ # update the component requirements.txt amqp==2.5.2 apscheduler==3.6.3 -cryptography==2.8 +cryptography==3.2 dnspython<2.0.0,>=1.16.0 eventlet==0.25.1 flex==6.14.0 From cd6ed5f6640ac18118df2af9d37bfac303f4a4d4 Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 00:46:30 -0800 Subject: [PATCH 2/9] Update changelog --- CHANGELOG.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 28376dc1a3..6df204faae 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -25,6 +25,8 @@ Changed Contributed by @hnanchahal +* Upgraded cryptography version to 3.2 to avoid CVE-2020-25659 + Fixed ~~~~~~~~~ * Added monkey patch fix to st2stream to enable it to work with mongodb via SSL. (bug fix) #5078 #5091 From 26741c9332d3dfd563341cf8b19ae92cc031e10a Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 00:44:32 -0800 Subject: [PATCH 3/9] Two tiny lints --- contrib/runners/python_runner/tests/unit/test_pythonrunner.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index 40529521ff..2da8cd6a1d 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -50,7 +50,7 @@ TEST_ACTION_PATH = os.path.join(tests_base.get_resources_path(), 'packs', 'pythonactions/actions/test.py') PATHS_ACTION_PATH = os.path.join(tests_base.get_resources_path(), 'packs', - 'pythonactions/actions/python_paths.py') + 'pythonactions/actions/python_paths.py') ACTION_1_PATH = os.path.join(tests_base.get_fixtures_path(), 'packs/dummy_pack_9/actions/list_repos_doesnt_exist.py') ACTION_2_PATH = os.path.join(tests_base.get_fixtures_path(), @@ -65,7 +65,7 @@ PRINT_CONFIG_ITEM_ACTION = os.path.join(tests_base.get_resources_path(), 'packs', 'pythonactions/actions/print_config_item_doesnt_exist.py') PRINT_TO_STDOUT_STDERR_ACTION = os.path.join(tests_base.get_resources_path(), 'packs', - 'pythonactions/actions/print_to_stdout_and_stderr.py') + 'pythonactions/actions/print_to_stdout_and_stderr.py') # Note: runner inherits parent args which doesn't work with tests since test pass additional From abba26411a5d55cc162c185ee8655a5c6edf57bf Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 00:45:25 -0800 Subject: [PATCH 4/9] Use assertMultiLineEqual to compare multi-line strings --- .../tests/unit/test_pythonrunner.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index 2da8cd6a1d..d056a848cd 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -315,8 +315,8 @@ def test_action_stdout_and_stderr_is_not_stored_in_db_by_default(self, mock_spaw runner.pre_run() (_, output, _) = runner.run({'row_index': 4}) - self.assertEqual(output['stdout'], 'pre result line 1\npost result line 1') - self.assertEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') + self.assertMultiLineEqual(output['stdout'], 'pre result line 1\npost result line 1') + self.assertMultiLineEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') self.assertEqual(output['result'], 'True') self.assertEqual(output['exit_code'], 0) @@ -339,8 +339,8 @@ def test_action_stdout_and_stderr_is_not_stored_in_db_by_default(self, mock_spaw runner.pre_run() (_, output, _) = runner.run({'row_index': 4}) - self.assertEqual(output['stdout'], 'pre result line 1\npost result line 1') - self.assertEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') + self.assertMultiLineEqual(output['stdout'], 'pre result line 1\npost result line 1') + self.assertMultiLineEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') self.assertEqual(output['result'], 'True') self.assertEqual(output['exit_code'], 0) @@ -387,9 +387,9 @@ def test_action_stdout_and_stderr_is_stored_in_the_db(self, mock_spawn, mock_pop runner.pre_run() (_, output, _) = runner.run({'row_index': 4}) - self.assertEqual(output['stdout'], + self.assertMultiLineEqual(output['stdout'], 'pre result line 1\npre result line 2\npost result line 1') - self.assertEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') + self.assertMultiLineEqual(output['stderr'], 'stderr line 1\nstderr line 2\nstderr line 3\n') self.assertEqual(output['result'], 'True') self.assertEqual(output['exit_code'], 0) @@ -427,8 +427,9 @@ def test_real_time_output_streaming_bufsize(self): runner.pre_run() (_, output, _) = runner.run({'stdout_count': 2, 'stderr_count': 2}) - self.assertEqual(output['stdout'], 'stdout line 0\nstdout line 1\n') - self.assertEqual(output['stderr'], 'stderr line 0\nstderr line 1\n') + # assertMultiLineEqual displays a diff if the two don't match + self.assertMultiLineEqual(output['stdout'], 'stdout line 0\nstdout line 1\n') + self.assertMultiLineEqual(output['stderr'], 'stderr line 0\nstderr line 1\n') self.assertEqual(output['exit_code'], 0) output_dbs = ActionExecutionOutput.get_all() From d765b8c66cf8b6a58b5014ae2c77d2e29fc24704 Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 00:46:00 -0800 Subject: [PATCH 5/9] Relax line count assertions a bit --- contrib/runners/python_runner/tests/unit/test_pythonrunner.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index d056a848cd..b67055a48c 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -702,7 +702,9 @@ def test_simple_action_log_messages_and_log_level_runner_param(self): lines.append(line) msg = ('Expected %s lines, got %s - "%s"' % (expected_count, len(lines), str(lines))) - self.assertEqual(len(lines), expected_count, msg) + # Dependencies can inject their own warnings, which increases the + # number of lines to more than we expect with simple equality checks + self.assertGreaterEqual(len(lines), expected_count, msg) # Only log messages with level info and above should be displayed runner = self._get_mock_runner_obj() From bbe770f2c4f38bead5d456370c7cfb6efd669838 Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 01:15:27 -0800 Subject: [PATCH 6/9] Relax stderr comparisons a bit to account for unexpected third party warnings --- .../runners/python_runner/tests/unit/test_pythonrunner.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index b67055a48c..7a7878774e 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -429,7 +429,11 @@ def test_real_time_output_streaming_bufsize(self): # assertMultiLineEqual displays a diff if the two don't match self.assertMultiLineEqual(output['stdout'], 'stdout line 0\nstdout line 1\n') - self.assertMultiLineEqual(output['stderr'], 'stderr line 0\nstderr line 1\n') + # Third party packages can unexpectedly emit warnings and add more + # output to the streamed stderr, so we check that the expected + # lines occurred, but we allow additional lines to exist + self.assertIn('stderr line 0\n', output['stderr']) + self.assertIn('stderr line 1\n', output['stderr']) self.assertEqual(output['exit_code'], 0) output_dbs = ActionExecutionOutput.get_all() From 129a78b768c80bf3ededff5161d0c80e90234914 Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 01:38:26 -0800 Subject: [PATCH 7/9] Relax line count assertion a bit --- contrib/runners/python_runner/tests/unit/test_pythonrunner.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index 7a7878774e..58eb1a6efe 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -437,7 +437,8 @@ def test_real_time_output_streaming_bufsize(self): self.assertEqual(output['exit_code'], 0) output_dbs = ActionExecutionOutput.get_all() - self.assertEqual(len(output_dbs), (index) * 4) + # Unexpected third party warnings will also inflate this number + self.assertGreaterEqual(len(output_dbs), (index) * 4) @mock.patch('st2common.util.concurrency.subprocess_popen') def test_stdout_interception_and_parsing(self, mock_popen): From 1bdba906d8abfc14a75a31bc5119ac15c1cc6027 Mon Sep 17 00:00:00 2001 From: blag Date: Sat, 28 Nov 2020 02:01:31 -0800 Subject: [PATCH 8/9] Relax another line count assertion a bit --- contrib/runners/python_runner/tests/unit/test_pythonrunner.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py index 58eb1a6efe..8d55f8262d 100644 --- a/contrib/runners/python_runner/tests/unit/test_pythonrunner.py +++ b/contrib/runners/python_runner/tests/unit/test_pythonrunner.py @@ -420,7 +420,8 @@ def test_real_time_output_streaming_bufsize(self): group='actionrunner') output_dbs = ActionExecutionOutput.get_all() - self.assertEqual(len(output_dbs), (index - 1) * 4) + # Unexpected third party warnings will also inflate this number + self.assertGreaterEqual(len(output_dbs), (index - 1) * 4) runner = self._get_mock_runner_obj() runner.entry_point = PRINT_TO_STDOUT_STDERR_ACTION From 63f5c004ad78bab131c5b4addda7e4dab67e81bf Mon Sep 17 00:00:00 2001 From: blag Date: Thu, 3 Dec 2020 11:52:55 -0800 Subject: [PATCH 9/9] Tweak changelog line Co-authored-by: Eugen Cusmaunsa --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6df204faae..2c28d8551e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -25,7 +25,7 @@ Changed Contributed by @hnanchahal -* Upgraded cryptography version to 3.2 to avoid CVE-2020-25659 +* Upgraded cryptography version to 3.2 to avoid CVE-2020-25659 (security) #5095 Fixed ~~~~~~~~~