Etusivu Tutki Apua
Kirjaudu sisään
yunoadmin
/
bambuddy
peilaus alkaen https://github.com/maziggy/bambuddy
1
0
Haarauta 0
Tiedostot Esitykset 0 Wiki
Selaa lähdekoodia

chore(security): bump idna >=3.15 (CVE-2026-45409) + ignore disputed PyJWT advisory

  - requirements.txt: pin idna>=3.15 to clear ReDoS in idna.encode() on
    crafted Unicode payloads. Transitive via anyio/httpx/requests/yarl,
    so the explicit floor stops a future downstream loosening from
    silently downgrading us.
  - security.yml: permanently --ignore-vuln CVE-2025-45768 (PyJWT). The
    advisory is disputed by the maintainers — "key length is chosen by
    the application" — and no fix version exists. Bambuddy is safe:
    auto-generates secrets via secrets.token_urlsafe(64) and rejects
    file-loaded secrets shorter than 32 chars (auth.py:177, :184).
  - security.yml: drop the stale Pygments --ignore-vuln CVE-2026-4539.
    Pygments has been patched upstream; the ignore no longer matches
    anything.
maziggy 1 viikko sitten
vanhempi
ed27b27adb
sitoutus
9d440beb80
3 muutettua tiedostoa jossa 16 lisäystä ja 4 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 11 4
      .github/workflows/security.yml
  2. 0 0
      CHANGELOG.md
  3. 5 0
      requirements.txt

+ 11 - 4
.github/workflows/security.yml
Näytä tiedosto 

@@ -132,10 +132,17 @@ jobs:
 
       - name: Run pip-audit
 
         id: pip-audit
 
         run: |
 
-          # CVE-2026-4539: low-severity ReDoS in Pygments AdlLexer (indirect dep via mkdocs-material/pytest/rich).
 
-          # No fix available yet. Remove --ignore-vuln once Pygments releases a patched version.
 
-          pip-audit --desc on --format json --output pip-audit-results.json --ignore-vuln CVE-2026-4539 || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
 
-          pip-audit --desc on --ignore-vuln CVE-2026-4539 || true
 
+          # CVE-2025-45768 (PYSEC-2025-183 / GHSA-65pc-fj4g-8rjx): disputed by PyJWT maintainers.
 
+          # Advisory says "key length is chosen by the application that uses the library" — no
 
+          # PyJWT fix exists or will exist. Bambuddy is safe: backend/app/core/auth.py:184 uses
 
+          # secrets.token_urlsafe(64) (~86 chars of entropy) for auto-generated secrets and
 
+          # rejects file-loaded secrets shorter than 32 chars at :177. Keep ignored permanently.
 
+          pip-audit --desc on --format json --output pip-audit-results.json \
 
+            --ignore-vuln CVE-2025-45768 \
 
+            || echo "vulnerabilities_found=true" >> $GITHUB_OUTPUT
 
+          pip-audit --desc on \
 
+            --ignore-vuln CVE-2025-45768 \
 
+            || true
 
 
       - name: Upload audit results
 
         if: always()

Tiedoston diff-näkymää rajattu, sillä se on liian suuri
+ 0 - 0
CHANGELOG.md


+ 5 - 0
requirements.txt
Näytä tiedosto 

@@ -60,6 +60,11 @@ passlib[bcrypt]>=1.7.4
 
 ldap3>=2.9.0
 
 pyotp>=2.9.0
 
 
+# Transitive dep pin: idna<3.15 has CVE-2026-45409 (ReDoS on encode() with
 
+# crafted Unicode). Pulled in by anyio/httpx/requests/yarl; pin the floor
 
+# so we don't regress when a downstream loosens its constraint.
 
+idna>=3.15
 
+
 
 # HTTP client (used for OIDC token exchange)
 
 httpx>=0.26.0

Kaikkia tiedostoja ei voida näyttää, sillä liian monta tiedostoa muuttui tässä diffissä