public inbox for [email protected]
help / color / mirror / Atom feed[pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability
2+ messages / 2 participants
[nested] [flat]
* [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability
@ 2021-10-21 05:17 Aditya Toshniwal <[email protected]>
2021-10-21 05:45 ` Re: [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability Akshay Joshi <[email protected]>
0 siblings, 1 reply; 2+ messages in thread
From: Aditya Toshniwal @ 2021-10-21 05:17 UTC (permalink / raw)
To: pgadmin-hackers
Hi Hackers,
As per safety audit vulnerability report id #40493 for flask-security-too:
*This is considered a low severity due to the fact that if Werkzeug is used
(which is very common with Flask applications) as the WSGI layer, it by
default ALWAYS ensures that the Location header is absolute - thus making
this attack vector mute.*
Attached patch will ignore this ID for the audit.
--
Thanks,
Aditya Toshniwal
pgAdmin Hacker | Software Architect | *edbpostgres.com*
<http://edbpostgres.com;
"Don't Complain about Heat, Plant a TREE"
Attachments:
[application/octet-stream] safety-40493.patch (639B, 3-safety-40493.patch)
download | inline diff:
diff --git a/web/package.json b/web/package.json
index 2d80c2e91..07af7ae5c 100644
--- a/web/package.json
+++ b/web/package.json
@@ -182,7 +182,7 @@
"pep8": "pycodestyle --config=../.pycodestyle ../docs && pycodestyle --config=../.pycodestyle ../pkg && pycodestyle --config=../.pycodestyle ../tools && pycodestyle --config=../.pycodestyle ../web",
"auditjs-html": "yarn audit --json | yarn run yarn-audit-html --output ../auditjs.html",
"auditjs": "yarn audit",
- "auditpy": "safety check --full-report",
+ "auditpy": "safety check --full-report -i 40493",
"audit": "yarn run auditjs && yarn run auditpy"
}
}
^ permalink raw reply [nested|flat] 2+ messages in thread
* Re: [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability
2021-10-21 05:17 [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability Aditya Toshniwal <[email protected]>
@ 2021-10-21 05:45 ` Akshay Joshi <[email protected]>
0 siblings, 0 replies; 2+ messages in thread
From: Akshay Joshi @ 2021-10-21 05:45 UTC (permalink / raw)
To: Aditya Toshniwal <[email protected]>; +Cc: pgadmin-hackers
Thanks, the patch applied.
On Thu, Oct 21, 2021 at 10:48 AM Aditya Toshniwal <
[email protected]> wrote:
> Hi Hackers,
>
> As per safety audit vulnerability report id #40493 for flask-security-too:
> *This is considered a low severity due to the fact that if Werkzeug is
> used (which is very common with Flask applications) as the WSGI layer, it
> by default ALWAYS ensures that the Location header is absolute - thus
> making this attack vector mute.*
>
> Attached patch will ignore this ID for the audit.
>
>
> --
> Thanks,
> Aditya Toshniwal
> pgAdmin Hacker | Software Architect | *edbpostgres.com*
> <http://edbpostgres.com;
> "Don't Complain about Heat, Plant a TREE"
>
--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*
*Mobile: +91 976-788-8246*
^ permalink raw reply [nested|flat] 2+ messages in thread
end of thread, other threads:[~2021-10-21 05:45 UTC | newest]
Thread overview: 2+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-10-21 05:17 [pgAdmin[patch] Ignore flask-security-too irrelevant vulnerability Aditya Toshniwal <[email protected]>
2021-10-21 05:45 ` Akshay Joshi <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox