NXDRIVE-2933: Fix ReDoS in py library when used with subversion #4908

swetayadav1 · 2024-05-22T12:42:50Z

No description provided.

Bumps [tox](https://github.com/tox-dev/tox) from 3.24.5 to 4.15.0. - [Release notes](https://github.com/tox-dev/tox/releases) - [Changelog](https://github.com/tox-dev/tox/blob/main/docs/changelog.rst) - [Commits](tox-dev/tox@3.24.5...4.15.0) --- updated-dependencies: - dependency-name: tox dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [pluggy](https://github.com/pytest-dev/pluggy) from 1.4.0 to 1.5.0. - [Changelog](https://github.com/pytest-dev/pluggy/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pluggy@1.4.0...1.5.0) --- updated-dependencies: - dependency-name: pluggy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [py-cpuinfo](https://github.com/workhorsy/py-cpuinfo) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/workhorsy/py-cpuinfo/releases) - [Changelog](https://github.com/workhorsy/py-cpuinfo/blob/master/ChangeLog) - [Commits](workhorsy/py-cpuinfo@v8.0.0...v9.0.0) --- updated-dependencies: - dependency-name: py-cpuinfo dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [pytest-cov](https://github.com/pytest-dev/pytest-cov) from 4.1.0 to 5.0.0. - [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/pytest-cov@v4.1.0...v5.0.0) --- updated-dependencies: - dependency-name: pytest-cov dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [pytest-timeout](https://github.com/pytest-dev/pytest-timeout) from 2.2.0 to 2.3.1. - [Commits](pytest-dev/pytest-timeout@2.2.0...2.3.1) --- updated-dependencies: - dependency-name: pytest-timeout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [pytest-benchmark](https://github.com/ionelmc/pytest-benchmark) from 3.4.1 to 4.0.0. - [Changelog](https://github.com/ionelmc/pytest-benchmark/blob/master/CHANGELOG.rst) - [Commits](ionelmc/pytest-benchmark@v3.4.1...v4.0.0) --- updated-dependencies: - dependency-name: pytest-benchmark dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sweta Yadav <106366788+swetayadav1@users.noreply.github.com>

Bumps [pytest](https://github.com/pytest-dev/pytest) from 7.4.4 to 8.2.1. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@7.4.4...8.2.1) --- updated-dependencies: - dependency-name: pytest dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.12.4 to 3.14.0. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](tox-dev/filelock@3.12.4...3.14.0) --- updated-dependencies: - dependency-name: filelock dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [virtualenv](https://github.com/pypa/virtualenv) from 20.4.7 to 20.26.2. - [Release notes](https://github.com/pypa/virtualenv/releases) - [Changelog](https://github.com/pypa/virtualenv/blob/main/docs/changelog.rst) - [Commits](pypa/virtualenv@20.4.7...20.26.2) --- updated-dependencies: - dependency-name: virtualenv dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [chardet](https://github.com/chardet/chardet) from 4.0.0 to 5.2.0. - [Release notes](https://github.com/chardet/chardet/releases) - [Commits](chardet/chardet@4.0.0...5.2.0) --- updated-dependencies: - dependency-name: chardet dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [py](https://github.com/pytest-dev/py) from 1.10.0 to 1.11.0. - [Release notes](https://github.com/pytest-dev/py/releases) - [Changelog](https://github.com/pytest-dev/py/blob/master/CHANGELOG.rst) - [Commits](pytest-dev/py@1.10.0...1.11.0) --- updated-dependencies: - dependency-name: py dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sweta Yadav <Sweta.Yadav@hyland.com>

Bumps [platformdirs](https://github.com/platformdirs/platformdirs) from 4.2.0 to 4.2.2. - [Release notes](https://github.com/platformdirs/platformdirs/releases) - [Changelog](https://github.com/platformdirs/platformdirs/blob/main/CHANGES.rst) - [Commits](tox-dev/platformdirs@4.2.0...4.2.2) --- updated-dependencies: - dependency-name: platformdirs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

sourcery-ai

We've reviewed this pull request using the Sourcery rules engine. If you would also like our AI-powered code review then let us know.

codecov · 2024-05-22T12:47:47Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.27%. Comparing base (74fc14e) to head (b89de37).
Report is 11 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4908      +/-   ##
==========================================
+ Coverage   49.24%   49.27%   +0.02%     
==========================================
  Files          94       94              
  Lines       15699    15702       +3     
==========================================
+ Hits         7731     7737       +6     
+ Misses       7968     7965       -3

Flag	Coverage Δ
functional	`38.07% <25.00%> (-0.01%)`	⬇️
integration	`2.06% <ø> (ø)`
unit	`37.60% <100.00%> (+0.03%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

…ify requests after making first request with verify=False (#4924) * --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * Update 5.5.0.md * Update 5.5.0.md --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…hen-used-with-subversion

… from specially crafted inputs to idna.encode (#4865) * Bump idna from 3.6 to 3.7 in /tools/deps Bumps [idna](https://github.com/kjd/idna) from 3.6 to 3.7. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](kjd/idna@v3.6...v3.7) --- updated-dependencies: - dependency-name: idna dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update 5.5.0.md --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…on Denial of Service (ReDoS) (#4857) * Bump black from 23.12.1 to 24.4.2 in /tools/deps Bumps [black](https://github.com/psf/black) from 23.12.1 to 24.4.2. - [Release notes](https://github.com/psf/black/releases) - [Changelog](https://github.com/psf/black/blob/main/CHANGES.md) - [Commits](psf/black@23.12.1...24.4.2) --- updated-dependencies: - dependency-name: black dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update 5.5.0.md --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* NXDRIVE: Fix use of insecure SSL/TLS version: security alert-#4 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2

…-subversion' of https://github.com/nuxeo/nuxeo-drive into wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

…NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

CLAassistant · 2024-07-03T06:56:24Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ swetayadav1
✅ dependabot[bot]
❌ nuxeodrive
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

CLAassistant · 2024-07-03T06:56:24Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
2 out of 3 committers have signed the CLA.

✅ dependabot[bot]
✅ swetayadav1
❌ nuxeodrive
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

dependabot bot and others added 23 commits May 20, 2024 08:49

Added cachetools 5.3.3 and pyproject-api 1.6.1

a564589

Removed pyproject-api

c297aa4

Added pyproject-api and colorama in MacOS

9df142a

Added tomli in tox file

8ee51f1

added cardet in tox file

e0cfc7e

Added platformdirs in tox file

b69b16f

Updating colorama in all platforms

0d1307b

updated platformdirs in tox file

8f889c0

Updated md file

9cbf78b

Removed py and pytest-forked as it depends on py

80d1586

Updated md file

e02e4ce

swetayadav1 requested a review from mr-shekhar May 22, 2024 12:42

sourcery-ai bot reviewed May 22, 2024

View reviewed changes

swetayadav1 requested review from gitofanindya and poojadaine May 22, 2024 12:43

swetayadav1 and others added 2 commits May 23, 2024 20:49

Update 5.5.0.md

975447b

swetayadav1 and others added 12 commits May 28, 2024 02:50

Merge branch 'master' into wip-NXDRIVE-2933-Fix-redos-in-py-library-w…

81a7917

…hen-used-with-subversion

NXDRIVE-2920: Upgrade to TLS 1.2 (#4780)

2e3f779

* NXDRIVE: Fix use of insecure SSL/TLS version: security alert-#4 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2 * NXDRIVE-2920: Upgrade to TLS 1.2

Fixed style issues

d91efd9

Merge branch 'wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with…

a210a90

…-subversion' of https://github.com/nuxeo/nuxeo-drive into wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

Fixed style error

8a08a77

Fixed style issues

ce33ba1

Merge branch 'wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with…

90d6702

…-subversion' of https://github.com/nuxeo/nuxeo-drive into wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

Fixed style error: Update test_cli.py

8724f64

Merge branch 'master' of https://github.com/nuxeo/nuxeo-drive into wip-…

6e2f7cd

…NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

Fixed code style issue

ca45662

gitofanindya approved these changes Jun 20, 2024

View reviewed changes

poojadaine approved these changes Jun 20, 2024

View reviewed changes

swetayadav1 and others added 2 commits July 3, 2024 10:53

Merge branch 'master' of https://github.com/nuxeo/nuxeo-drive into wip-…

43ee2fa

…NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion

revert changes to behaviour.py

0483482

swetayadav1 added 2 commits July 3, 2024 14:48

Removed black dependency

b30c305

Removed black dependency

c51303b

mr-shekhar approved these changes Jul 4, 2024

View reviewed changes

Updated comments in retrieve_ssl_certificate

b89de37

swetayadav1 merged commit 1c86642 into master Jul 4, 2024
20 of 21 checks passed

swetayadav1 deleted the wip-NXDRIVE-2933-Fix-redos-in-py-library-when-used-with-subversion branch July 4, 2024 06:37

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NXDRIVE-2933: Fix ReDoS in py library when used with subversion #4908

NXDRIVE-2933: Fix ReDoS in py library when used with subversion #4908

swetayadav1 commented May 22, 2024

sourcery-ai bot left a comment

codecov bot commented May 22, 2024 •

edited

Loading

CLAassistant commented Jul 3, 2024 •

edited

Loading

CLAassistant commented Jul 3, 2024

NXDRIVE-2933: Fix ReDoS in py library when used with subversion #4908

NXDRIVE-2933: Fix ReDoS in py library when used with subversion #4908

Conversation

swetayadav1 commented May 22, 2024

sourcery-ai bot left a comment

Choose a reason for hiding this comment

codecov bot commented May 22, 2024 • edited Loading

Codecov Report

CLAassistant commented Jul 3, 2024 • edited Loading

CLAassistant commented Jul 3, 2024

codecov bot commented May 22, 2024 •

edited

Loading

CLAassistant commented Jul 3, 2024 •

edited

Loading