tj-django / django-migration-fixer Goto Github PK
View Code? Open in Web Editor NEWResolve multiple leaf nodes error running django migrations.
Home Page: https://tj-django.github.io/django-migration-fixer/
License: MIT License
Resolve multiple leaf nodes error running django migrations.
Home Page: https://tj-django.github.io/django-migration-fixer/
License: MIT License
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-03
URL: CVE-2023-41164
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/sep/04/security-releases/
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.21,4.1.11,4.2.5
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
Publish Date: 2023-11-02
URL: CVE-2023-46695
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/
Release Date: 2023-10-25
Fix Resolution: Django - 3.2.23,4.1.13,4.2.7
Step up your Open Source Security Game with Mend here
GitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.
Publish Date: 2023-08-11
URL: CVE-2023-40267
Base Score Metrics:
Step up your Open Source Security Game with Mend here
GitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/1f/d3/020efb312a7d25fa00e144497a33378d415552e5581be080a99017af6d39/GitPython-3.1.29-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.
Publish Date: 2022-12-06
URL: CVE-2022-24439
Base Score Metrics:
Step up your Open Source Security Game with Mend here
GitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git
directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git
directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.
Publish Date: 2023-08-30
URL: CVE-2023-41040
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cwvm-v4w8-q58c
Release Date: 2023-08-30
Fix Resolution: 3.1.35
Step up your Open Source Security Game with Mend here
Explore using https://pypi.org/project/django-test-migrations/ to verify migration nodes output.
branch a
using main
but branch b
based on branch a
(Can be solved using github actions.)named
and numbered
migrations).A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10, and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-service attack.
Publish Date: 2023-02-15
URL: CVE-2023-24580
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q1/93
Release Date: 2023-02-15
Fix Resolution: Django - 3.2.18,4.0.10,4.1.7
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when using one form field to upload multiple files. This multiple upload has never been supported by forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's "Uploading multiple files" documentation suggested otherwise.
Publish Date: 2023-05-07
URL: CVE-2023-31047
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q2/110
Release Date: 2023-05-07
Fix Resolution: Django - 3.2.19,4.1.9,4.2.1
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232 and CVE-2023-43665.
Publish Date: 2024-03-15
URL: CVE-2024-27351
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q1/185
Release Date: 2024-03-15
Fix Resolution: Django - 3.2.25,4.2.11,5.0.3
Step up your Open Source Security Game with Mend here
Running migration fixer on the same branch doesn't correctly identify the files that should be updated and falsely reports a successful status
Running migration fixer on the base branch that a conflict was detected naively resolves conflicts by checking the migration tree
IF:
c
/
a
\
b -> d
USE
a -> b -> d -> c
IF:
c
/
a
\
b
USE
a -> b -> c OR a -> c -> b
NOTE: This might require checking the modified time or some time value in git that includes the mtime
No response
No response
The pull/fetch behavior is quite surprising, and doesn't work in some environments such as Docker, where the container does not have permission to fetch/pull from the remote.
For me it launched an ssh warning, because it's a Docker, with no access to my GitHub account, which lead me to reading the source to confirm the library was doing nothing untoward before proceeding, and then it didn't work anyway.
It'd be great if there was an option to skip that step, and assume the user has already brought their base branch up to date, commenting out https://github.com/tj-django/django-migration-fixer/blob/main/migration_fixer/management/commands/makemigrations.py#L115-L126 seems to do the trick.
No response
No response
subprocess call - check for execution of untrusted input.
process = subprocess.Popen(
Hi!
The install instructions say pip install django-view-breadcrumbs
which looks like a copy-paste error to me. Are you aware?
Best, Sebastian
GitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git
, as well as when it runs bash.exe
to interpret hooks. If either of those features are used on Windows, a malicious git.exe
or bash.exe
may be run from an untrusted repository. This issue has been patched in version 3.1.41.
Publish Date: 2024-01-11
URL: CVE-2024-22190
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-22190
Release Date: 2024-01-11
Fix Resolution: GitPython - 3.1.41
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a potential denial-of-service attack when used with very long strings.
Publish Date: 2024-02-06
URL: CVE-2024-24680
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
Release Date: 2024-02-06
Fix Resolution: 3.2.24
Step up your Open Source Security Game with Mend here
GitPython is a python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/d0/7c/e6942be5f2c03a9de68a6c782373dcec7dc1d10664dd20652bfb7307f905/GitPython-3.1.30-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the git
command, if a user runs GitPython from a repo has a git.exe
or git
executable, that program will be run instead of the one in the user's PATH
. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious git
executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like C:\\Program Files\\Git\\cmd\\git.EXE
(default git path installation). 2: Require users to set the GIT_PYTHON_GIT_EXECUTABLE
environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the GIT_PYTHON_GIT_EXECUTABLE
env var to an absolute path. 4: Resolve the executable manually by only looking into the PATH
environment variable.
Publish Date: 2023-08-28
URL: CVE-2023-40590
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wfm5-v35h-vwf4
Release Date: 2023-08-28
Fix Resolution: GitPython - 3.1.33
Step up your Open Source Security Game with Mend here
A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl
Path to dependency file: django-migration-fixer
Path to vulnerable library: django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
StripComments filter contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service)
The formatter function that strips comments from a SQL contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments.
Publish Date: 2021-09-10
URL: WS-2021-0369
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p5w8-wqhj-9hhf
Release Date: 2021-09-10
Fix Resolution: sqlparse - 0.4.2
Step up your Open Source Security Game with WhiteSource here
branch a
using main
but branch b
based on branch a
(Can be solved using github actions.)named
and numbered
migrations).A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Publish Date: 2024-04-30
URL: CVE-2024-4340
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-4340
Release Date: 2024-04-30
Fix Resolution: sqlparse - 0.5.0
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
Publish Date: 2023-07-03
URL: CVE-2023-36053
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q3/2
Release Date: 2023-07-03
Fix Resolution: Django -3.2.20,4.1.10,4.2.3
Step up your Open Source Security Game with Mend here
We're hosting our app on Heroku, to which we deploy using git. Therefore our local environments have an origin
remote pointing to Github and a second heroku
remote for deployments.
This heroku
only has one branch, which is not our main/develop branch) and this creates issues when I try to fix migrations on my local machine.
./manage.py makemigrations --fix -b develop
(Though I suspect -b is not necessary)linux
I expected the command to just work.
DEBUG:git.cmd:Popen(["git", "version"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "version"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "init"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "cat-file", "--batch-check"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=<valid stream>)
DEBUG:git.cmd:Popen(["git", "diff", "--cached", "--abbrev=40", "--full-index", "--raw"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "diff", "--abbrev=40", "--full-index", "--raw"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=False, shell=null, istream=None)
DEBUG:git.cmd:Popen(["git", "fetch", "-v", "origin", "develop:develop"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=True, shell=null, istream=None)
DEBUG:git.remote:Fetch head lines do not match lines provided via progress information
length of progress lines 2 should be equal to lines in FETCH_HEAD file 1
Will ignore extra progress lines or fetch head lines.
DEBUG:git.remote:info lines: [' = [up to date] develop -> develop', ' = [up to date] develop -> origin/develop']
DEBUG:git.remote:head info : ["fb17c22cd7c51a81166749ce165d7c3a8433ae6d\t\tbranch 'develop' of github.com:hvntravel/hvn\n"]
DEBUG:git.cmd:Popen(["git", "fetch", "-v", "heroku", "develop:develop"], cwd=/home/jonas/Projects/hvn/hvn, universal_newlines=True, shell=null, istream=None)
DEBUG:git.cmd:AutoInterrupt wait stderr: b''
Traceback (most recent call last):
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 60, in handle
super().handle(*app_labels, **options)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 83, in wrapped
res = handle_func(*args, **kwargs)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/commands/makemigrations.py", line 119, in handle
raise CommandError(
django.core.management.base.CommandError: Conflicting migrations detected; multiple leaf nodes in the migration graph: (0306_delete_vrmsurvey, 0306_reservation_email_comms_force_active in vr).
To fix them run 'python manage.py makemigrations --merge'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./manage.py", line 50, in <module>
execute_from_command_line(sys.argv)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
utility.execute()
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 375, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 323, in run_from_argv
self.execute(*args, **cmd_options)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 364, in execute
output = self.handle(*args, **options)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 118, in wrapped
res = handle_func(*args, **kwargs)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 109, in handle
remote.fetch(
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/remote.py", line 828, in fetch
res = self._get_fetch_info_from_stderr(proc, progress)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/remote.py", line 702, in _get_fetch_info_from_stderr
proc.wait(stderr=stderr_text)
File "/home/jonas/Projects/hvn/hvn/.venv/lib/python3.8/site-packages/git/cmd.py", line 447, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(1)
cmdline: git fetch -v heroku develop:develop
Heroku Documentation: https://devcenter.heroku.com/articles/git#creating-a-heroku-remote
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.github/workflows/auto-approve.yml
hmarr/auto-approve-action v3
.github/workflows/auto-merge.yml
pascalgn/automerge-action v0.15.5
.github/workflows/codacy-analysis.yml
actions/checkout v3
codacy/codacy-analysis-cli-action v4.2.0
github/codeql-action v2
.github/workflows/deploy.yml
actions/checkout v3
tj-actions/semver-diff v2.4.1
actions/setup-python v4
tj-actions/github-changelog-generator v1.15
peter-evans/create-pull-request v4
.github/workflows/greetings.yml
actions/first-interaction v1
.github/workflows/test.yml
rokroskar/workflow-run-cleanup-action v0.3.3
actions/checkout v3
actions/setup-python v4
actions/cache v3
codacy/codacy-coverage-reporter-action v1
codecov/codecov-action v3.1.1
.github/workflows/update-doc-assets.yml
actions/checkout v3.5.2
tj-actions/remark v3
tj-actions/verify-changed-files v12
peter-evans/create-pull-request v4
actions/setup-python v4
requirements.txt
asgiref ==3.5.2
django ==4.1.6
gitdb ==4.0.10
gitpython ==3.1.30
pytz ==2022.7.1
smmap ==5.0.0
sqlparse ==0.4.4
typing-extensions ==4.4.0
setup.py
mkdocs >=1.4,<1.5
mkdocs-material-extensions >=1.0.3
pygments >=2.15,<2.16
pymdown-extensions >=9.9,<9.10
typing_extensions >=3.10.0.0
pytest >=3
The bot created this issue to inform you that pyup.io has been set up on this repo.
Once you have closed it, the bot will open pull requests for updates as soon as they are available.
A non-validating SQL parser.
Library home page: https://files.pythonhosted.org/packages/97/d3/31dd2c3e48fc2060819f4acb0686248250a0f2326356306b38a42e059144/sqlparse-0.4.3-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer,/requirements.txt
Dependency Hierarchy:
Found in base branch: main
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358
. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f
. Users are advised to upgrade. There are no known workarounds for this issue.
Publish Date: 2023-04-18
URL: CVE-2023-30608
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rrm6-wvj7-cwh2
Release Date: 2023-04-18
Fix Resolution: 0.4.4
Step up your Open Source Security Game with Mend here
The logic to determine the migrations path from the import path is flawed somehow, and doesn't account for projects with a non-standard django directory structure.
Set up a project structure where migrations doesn't live appname/migrations
away from BASE_DIR
.
linux
The migrations directory should be loaded the same way django loads it, so it can never mismatch. If there's no better way, perhaps it should load the migrations module and inspect its modulepath.
Traceback (most recent call last):
File "manage.py", line 15, in <module>
execute_from_command_line(sys.argv)
File "/app/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 419, in execute_from_command_line
utility.execute()
File "/app/.venv/lib/python3.8/site-packages/django/core/management/__init__.py", line 413, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/app/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 354, in run_from_argv
self.execute(*args, **cmd_options)
File "/app/.venv/lib/python3.8/site-packages/django/core/management/base.py", line 398, in execute
output = self.handle(*args, **options)
File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 114, in wrapped
res = handle_func(*args, **kwargs)
File "/app/.venv/lib/python3.8/site-packages/migration_fixer/management/commands/makemigrations.py", line 247, in handle
fix_numbered_migration(
File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 94, in fix_numbered_migration
_update_migration(conflict_path, app_label, prev_migration)
File "/app/.venv/lib/python3.8/site-packages/migration_fixer/utils.py", line 26, in _update_migration
match = replace_regex.search(conflict_path.read_text())
File "/usr/local/lib/python3.8/pathlib.py", line 1235, in read_text
with self.open(mode='r', encoding=encoding, errors=errors) as f:
File "/usr/local/lib/python3.8/pathlib.py", line 1221, in open
return io.open(self, mode, buffering, encoding, errors, newline,
File "/usr/local/lib/python3.8/pathlib.py", line 1077, in _opener
return self._accessor.open(self, flags, mode)
FileNotFoundError: [Errno 2] No such file or directory: '/app/core/migrations/0020_test.py'
The path is `/app/projectname/core` not `/app/core` 👆️
Alternatively to fixing the detection, the ability to be able to supply a path instead of BASE_DIR
would work, the project I'm working on already has another constant that is the correct path to use in this case. The task runs successfully when I copy it into the project and fix the 2 issues I've created 🤘🏼
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
Publish Date: 2023-11-03
URL: CVE-2023-43665
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-43665
Release Date: 2023-11-03
Fix Resolution: Django - 3.2.22,4.1.12,4.2.6
Step up your Open Source Security Game with Mend here
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/8a/c4/f946a6b02fcbba84e56074f2fc36866433b009bea2528b09fe0bac4fe1aa/Django-3.2.16-py3-none-any.whl
Path to dependency file: /tmp/ws-scm/django-migration-fixer
Path to vulnerable library: /tmp/ws-scm/django-migration-fixer
Dependency Hierarchy:
Found in base branch: main
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
Publish Date: 2023-02-01
URL: CVE-2023-23969
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2023/feb/01/security-releases/
Release Date: 2023-02-01
Fix Resolution: 3.2.17
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.