Giter Site home page Giter Site logo

tj-django / django-migration-fixer Goto Github PK

View Code? Open in Web Editor NEW
29.0 3.0 4.0 2.06 MB

Resolve multiple leaf nodes error running django migrations.

Home Page: https://tj-django.github.io/django-migration-fixer/

License: MIT License

Makefile 8.55% Python 91.45%
django migrations migration django-migrations django-migration-fixer resolves-migration-conflicts makemigrations django-makemigrations django-models django-project

django-migration-fixer's People

Contributors

dependabot[bot] avatar jackton1 avatar pre-commit-ci[bot] avatar pyup-bot avatar renovate-bot avatar renovate[bot] avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

stevelacey serhankarakoc 00mjk 5l1v3r1

django-migration-fixer's Issues

CVE-2023-41164 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-41164 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Publish Date: 2023-11-03

URL: CVE-2023-41164

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2023/sep/04/security-releases/

Release Date: 2023-11-03

Fix Resolution: Django - 3.2.21,4.1.11,4.2.5

Step up your Open Source Security Game with Mend here

CVE-2023-46695 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-46695 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.

Publish Date: 2023-11-02

URL: CVE-2023-46695

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/

Release Date: 2023-10-25

Fix Resolution: Django - 3.2.23,4.1.13,4.2.7

Step up your Open Source Security Game with Mend here

Improve logging

  • Add verbose logging support to correctly display all migration changes.

CVE-2023-40267 (Critical) detected in GitPython-3.1.30-py3-none-any.whl

CVE-2023-40267 - Critical Severity Vulnerability

Vulnerable Library - GitPython-3.1.30-py3-none-any.whl

GitPython is a python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • GitPython-3.1.30-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.

Publish Date: 2023-08-11

URL: CVE-2023-40267

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-08-11

Fix Resolution: GitPython - 3.1.32

Step up your Open Source Security Game with Mend here

CVE-2022-24439 (High) detected in GitPython-3.1.29-py3-none-any.whl - autoclosed

CVE-2022-24439 - High Severity Vulnerability

Vulnerable Library - GitPython-3.1.29-py3-none-any.whl

GitPython is a python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/1f/d3/020efb312a7d25fa00e144497a33378d415552e5581be080a99017af6d39/GitPython-3.1.29-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • GitPython-3.1.29-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.

Publish Date: 2022-12-06

URL: CVE-2022-24439

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-41040 (Medium) detected in GitPython-3.1.30-py3-none-any.whl

CVE-2023-41040 - Medium Severity Vulnerability

Vulnerable Library - GitPython-3.1.30-py3-none-any.whl

GitPython is a python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • GitPython-3.1.30-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.

Publish Date: 2023-08-30

URL: CVE-2023-41040

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwvm-v4w8-q58c

Release Date: 2023-08-30

Fix Resolution: 3.1.35

Step up your Open Source Security Game with Mend here

[Testing]: Setup django-test-migrations

Explore using https://pypi.org/project/django-test-migrations/ to verify migration nodes output.

  • Test more than 1 migration conflict on a PR branch
  • Test re-seeding migrations based on a parent branch i.e can this be aware of main <- branch a <- branch b, Updates branch a using main but branch b based on branch a (Can be solved using github actions.)
  • Test using a different default branch.
  • Test all of the above using (named and numbered migrations).

CVE-2023-24580 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-24580 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.

Publish Date: 2023-02-15

URL: CVE-2023-24580

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2023/q1/93

Release Date: 2023-02-15

Fix Resolution: Django - 3.2.18,4.0.10,4.1.7

Step up your Open Source Security Game with Mend here

CVE-2023-31047 (Critical) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-31047 - Critical Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.

Publish Date: 2023-05-07

URL: CVE-2023-31047

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2023/q2/110

Release Date: 2023-05-07

Fix Resolution: Django - 3.2.19,4.1.9,4.2.1

Step up your Open Source Security Game with Mend here

CVE-2024-27351 (Medium) detected in Django-3.2.16-py3-none-any.whl

CVE-2024-27351 - Medium Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.

Publish Date: 2024-03-15

URL: CVE-2024-27351

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q1/185

Release Date: 2024-03-15

Fix Resolution: Django - 3.2.25,4.2.11,5.0.3

Step up your Open Source Security Game with Mend here

[Feature] Add support for resolving migration conflicts on the same branch

Is this feature missing in the latest version?

  • I'm using the latest release

Is your feature request related to a problem? Please describe.

Running migration fixer on the same branch doesn't correctly identify the files that should be updated and falsely reports a successful status

Describe the solution you'd like?

Running migration fixer on the base branch that a conflict was detected naively resolves conflicts by checking the migration tree

IF:

   c 
  /
a 
   \
    b -> d

USE

a  -> b -> d -> c

IF:

   c 
  /
a 
   \
    b

USE

a  -> b -> c  OR a  -> c -> b

NOTE: This might require checking the modified time or some time value in git that includes the mtime

Describe alternatives you've considered?

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Support fix without fetch/pull

Is your feature request related to a problem? Please describe.

The pull/fetch behavior is quite surprising, and doesn't work in some environments such as Docker, where the container does not have permission to fetch/pull from the remote.

For me it launched an ssh warning, because it's a Docker, with no access to my GitHub account, which lead me to reading the source to confirm the library was doing nothing untoward before proceeding, and then it didn't work anyway.

Describe the solution you'd like?

It'd be great if there was an option to skip that step, and assume the user has already brought their base branch up to date, commenting out https://github.com/tj-django/django-migration-fixer/blob/main/migration_fixer/management/commands/makemigrations.py#L115-L126 seems to do the trick.

Describe alternatives you've considered?

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

CVE-2024-22190 (High) detected in GitPython-3.1.30-py3-none-any.whl

CVE-2024-22190 - High Severity Vulnerability

Vulnerable Library - GitPython-3.1.30-py3-none-any.whl

GitPython is a python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • GitPython-3.1.30-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on Windows, a malicious git.exe or bash.exe may be run from an untrusted repository. This issue has been patched in version 3.1.41.

Publish Date: 2024-01-11

URL: CVE-2024-22190

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190

Release Date: 2024-01-11

Fix Resolution: GitPython - 3.1.41

Step up your Open Source Security Game with Mend here

CVE-2024-24680 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2024-24680 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.

Publish Date: 2024-02-06

URL: CVE-2024-24680

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/

Release Date: 2024-02-06

Fix Resolution: 3.2.24

Step up your Open Source Security Game with Mend here

CVE-2023-40590 (High) detected in GitPython-3.1.30-py3-none-any.whl

CVE-2023-40590 - High Severity Vulnerability

Vulnerable Library - GitPython-3.1.30-py3-none-any.whl

GitPython is a python library used to interact with Git repositories

Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • GitPython-3.1.30-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git command, if a user runs GitPython from a repo has a git.exe or git executable, that program will be run instead of the one in the user's PATH. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE (default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH environment variable.

Publish Date: 2023-08-28

URL: CVE-2023-40590

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wfm5-v35h-vwf4

Release Date: 2023-08-28

Fix Resolution: GitPython - 3.1.33

Step up your Open Source Security Game with Mend here

WS-2021-0369 (Medium) detected in sqlparse-0.4.1-py3-none-any.whl - autoclosed

WS-2021-0369 - Medium Severity Vulnerability

Vulnerable Library - sqlparse-0.4.1-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl

Path to dependency file: django-migration-fixer

Path to vulnerable library: django-migration-fixer

Dependency Hierarchy:

  • sqlparse-0.4.1-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.

Publish Date: 2021-09-10

URL: WS-2021-0369

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p5w8-wqhj-9hhf

Release Date: 2021-09-10

Fix Resolution: sqlparse - 0.4.2

Step up your Open Source Security Game with WhiteSource here

Improve test coverage

  • Test more than 1 migration conflict on a PR branch
  • Test multiple migration conflicts on a PR branch
  • Test re-seeding migrations based on a parent branch i.e can this be aware of main <- branch a <- branch b, Updates branch a using main but branch b based on branch a (Can be solved using github actions.)
  • Test using a different default branch.
  • Test all of the above using (named and numbered migrations).

CVE-2024-4340 (High) detected in sqlparse-0.4.3-py3-none-any.whl

CVE-2024-4340 - High Severity Vulnerability

Vulnerable Library - sqlparse-0.4.3-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer,/requirements.txt

Dependency Hierarchy:

  • sqlparse-0.4.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Publish Date: 2024-04-30

URL: CVE-2024-4340

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-4340

Release Date: 2024-04-30

Fix Resolution: sqlparse - 0.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-36053 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-36053 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Publish Date: 2023-07-03

URL: CVE-2023-36053

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2023/q3/2

Release Date: 2023-07-03

Fix Resolution: Django -3.2.20,4.1.10,4.2.3

Step up your Open Source Security Game with Mend here

[BUG] Doesn't work with multiple remotes

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug?

We're hosting our app on Heroku, to which we deploy using git. Therefore our local environments have an origin remote pointing to Github and a second heroku remote for deployments.

This heroku only has one branch, which is not our main/develop branch) and this creates issues when I try to fix migrations on my local machine.

To Reproduce

  1. Have a remote with multiple origins, without the main branch existing on one of the origins.
  2. Run ./manage.py makemigrations --fix -b develop (Though I suspect -b is not necessary)
  3. Watch it fail

What OS are you seeing the problem on?

linux

Expected behavior?

I expected the command to just work.

Relevant log output

DEBUG:git.cmd:Popen(["git", "version"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "version"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "init"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "cat-file", "--batch-check"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=<valid stream>)
DEBUG:git.cmd:Popen(["git", "diff", "--cached", "--abbrev=40", "--full-index", "--raw"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "diff", "--abbrev=40", "--full-index", "--raw"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "fetch", "-v", "origin", "develop:develop"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=True, shell=null, istream=None)
DEBUG:git.remote:Fetch head lines do not match lines provided via progress information
length of progress lines 2 should be equal to lines in FETCH_HEAD file 1
Will ignore extra progress lines or fetch head lines.
DEBUG:git.remote:info lines: [' = [up to date]        develop    -> develop', ' = [up to date]        develop    -> origin/develop']
DEBUG:git.remote:head info : ["fb17c22cd7c51a81166749ce165d7c3a8433ae6d\t\tbranch 'develop' of github.com:hvntravel/hvn\n"]
DEBUG:git.cmd:Popen(["git", "fetch", "-v", "heroku", "develop:develop"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=True, shell=null, istream=None)
DEBUG:git.cmd:AutoInterrupt wait stderr: b''
Traceback (most recent call last):
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 60, in handle
    super().handle(*app_labels, **options)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 83, in wrapped
    res = handle_func(*args, **kwargs)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/commands/makemigrations.py", line 119, in handle
    raise CommandError(
django.core.management.base.CommandError: Conflicting migrations detected; multiple leaf nodes in the migration graph: (0306_delete_vrmsurvey, 0306_reservation_email_comms_force_active in vr).
To fix them run 'python manage.py makemigrations --merge'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./manage.py", line 50, in <module>
    execute_from_command_line(sys.argv)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
    utility.execute()
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 375, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 323, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 364, in execute
    output = self.handle(*args, **options)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 118, in wrapped
    res = handle_func(*args, **kwargs)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 109, in handle
    remote.fetch(
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/remote.py", line 828, in fetch
    res = self._get_fetch_info_from_stderr(proc, progress)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/remote.py", line 702, in _get_fetch_info_from_stderr
    proc.wait(stderr=stderr_text)
  File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/cmd.py", line 447, in wait
    raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(1)
  cmdline: git fetch -v heroku develop:develop

Anything else?

Heroku Documentation: https://devcenter.heroku.com/articles/git#creating-a-heroku-remote

Code of Conduct

  • I agree to follow this project's Code of Conduct

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): update dependency gitdb to v4.0.11
  • chore(deps): update dependency smmap to v5.0.1
  • chore(deps): update actions/checkout action to v3.6.0
  • chore(deps): update codacy/codacy-analysis-cli-action action to v4.4.0
  • chore(deps): update dependency mkdocs to >=1.6,<1.7
  • chore(deps): update dependency pygments to >=2.18,<2.19
  • chore(deps): update dependency pymdown-extensions to >=9.11,<9.12
  • chore(deps): update dependency typing-extensions to v4.11.0
  • chore(deps): update actions/cache action to v4
  • chore(deps): update actions/checkout action to v4
  • chore(deps): update actions/setup-python action to v5
  • chore(deps): update codecov/codecov-action action to v4
  • chore(deps): update dependency pymdown-extensions to v10
  • chore(deps): update dependency pytz to v2024
  • chore(deps): update github/codeql-action action to v3
  • chore(deps): update peter-evans/create-pull-request action to v6
  • chore(deps): update tj-actions/semver-diff action to v3
  • 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions
.github/workflows/auto-approve.yml
  • hmarr/auto-approve-action v3
.github/workflows/auto-merge.yml
  • pascalgn/automerge-action v0.15.5
.github/workflows/codacy-analysis.yml
  • actions/checkout v3
  • codacy/codacy-analysis-cli-action v4.2.0
  • github/codeql-action v2
.github/workflows/deploy.yml
  • actions/checkout v3
  • tj-actions/semver-diff v2.4.1
  • actions/setup-python v4
  • tj-actions/github-changelog-generator v1.15
  • peter-evans/create-pull-request v4
.github/workflows/greetings.yml
  • actions/first-interaction v1
.github/workflows/test.yml
  • rokroskar/workflow-run-cleanup-action v0.3.3
  • actions/checkout v3
  • actions/setup-python v4
  • actions/cache v3
  • codacy/codacy-coverage-reporter-action v1
  • codecov/codecov-action v3.1.1
.github/workflows/update-doc-assets.yml
  • actions/checkout v3.5.2
  • tj-actions/remark v3
  • tj-actions/verify-changed-files v12
  • peter-evans/create-pull-request v4
  • actions/setup-python v4
pip_requirements
requirements.txt
  • asgiref ==3.5.2
  • django ==4.1.6
  • gitdb ==4.0.10
  • gitpython ==3.1.30
  • pytz ==2022.7.1
  • smmap ==5.0.0
  • sqlparse ==0.4.4
  • typing-extensions ==4.4.0
pip_setup
setup.py
  • mkdocs >=1.4,<1.5
  • mkdocs-material-extensions >=1.0.3
  • pygments >=2.15,<2.16
  • pymdown-extensions >=9.9,<9.10
  • typing_extensions >=3.10.0.0
  • pytest >=3
  • Check this box to trigger a request for Renovate to run again on this repository

Initial Update

The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.

CVE-2023-30608 (High) detected in sqlparse-0.4.3-py3-none-any.whl

CVE-2023-30608 - High Severity Vulnerability

Vulnerable Library - sqlparse-0.4.3-py3-none-any.whl

A non-validating SQL parser.

Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer,/requirements.txt

Dependency Hierarchy:

  • sqlparse-0.4.3-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f. Users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2023-04-18

URL: CVE-2023-30608

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrm6-wvj7-cwh2

Release Date: 2023-04-18

Fix Resolution: 0.4.4

Step up your Open Source Security Game with Mend here

Support custom migrations base paths

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug?

The logic to determine the migrations path from the import path is flawed somehow, and doesn't account for projects with a non-standard django directory structure.

https://github.com/tj-django/django-migration-fixer/blob/main/migration_fixer/management/commands/makemigrations.py#L172-L178

To Reproduce

Set up a project structure where migrations doesn't live appname/migrations away from BASE_DIR.

What OS are you seeing the problem on?

linux

Expected behavior?

The migrations directory should be loaded the same way django loads it, so it can never mismatch. If there's no better way, perhaps it should load the migrations module and inspect its modulepath.

Relevant log output

Traceback (most recent call last):
  File "manage.py", line 15, in <module>
    execute_from_command_line(sys.argv)
  File "/app/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
    utility.execute()
  File "/app/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 413, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/app/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 354, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/app/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 398, in execute
    output = self.handle(*args, **options)
  File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 114, in wrapped
    res = handle_func(*args, **kwargs)
  File "/app/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 247, in handle
    fix_numbered_migration(
  File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 94, in fix_numbered_migration
    _update_migration(conflict_path, app_label, prev_migration)
  File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 26, in _update_migration
    match = replace_regex.search(conflict_path.read_text())
  File "/usr/local/lib/python3.8/pathlib.py", line 1235, in read_text
    with self.open(mode='r', encoding=encoding, errors=errors) as f:
  File "/usr/local/lib/python3.8/pathlib.py", line 1221, in open
    return io.open(self, mode, buffering, encoding, errors, newline,
  File "/usr/local/lib/python3.8/pathlib.py", line 1077, in _opener
    return self._accessor.open(self, flags, mode)
FileNotFoundError: [Errno 2] No such file or directory: '/app/core/migrations/0020_test.py'

The path is `/app/projectname/core` not `/app/core` 👆️

Anything else?

Alternatively to fixing the detection, the ability to be able to supply a path instead of BASE_DIR would work, the project I'm working on already has another constant that is the correct path to use in this case. The task runs successfully when I copy it into the project and fix the 2 issues I've created 🤘🏼

Code of Conduct

  • I agree to follow this project's Code of Conduct

CVE-2023-43665 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-43665 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.

Publish Date: 2023-11-03

URL: CVE-2023-43665

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665

Release Date: 2023-11-03

Fix Resolution: Django - 3.2.22,4.1.12,4.2.6

Step up your Open Source Security Game with Mend here

CVE-2023-23969 (High) detected in Django-3.2.16-py3-none-any.whl

CVE-2023-23969 - High Severity Vulnerability

Vulnerable Library - Django-3.2.16-py3-none-any.whl

A high-level Python web framework that encourages rapid development and clean, pragmatic design.

Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/django-migration-fixer

Path to vulnerable library: /tmp/ws-scm/django-migration-fixer

Dependency Hierarchy:

  • Django-3.2.16-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.

Publish Date: 2023-02-01

URL: CVE-2023-23969

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.djangoproject.com/weblog/2023/feb/01/security-releases/

Release Date: 2023-02-01

Fix Resolution: 3.2.17

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.