From f6782f5107fe274657658854eaac5e796ec90a19 Mon Sep 17 00:00:00 2001 From: Daniel Porter Date: Wed, 28 Jun 2023 15:14:00 +0100 Subject: [PATCH 1/8] Allow networkx<3 for Python 3.7 or newer This change brings in a conditional dependency for networkx, preventing 2.6 or later being installed for a Python 3.6 environment, but allowing v2.7 or 2.8 for newer versions. This should allow for non EOL versions of Python to install a version of networkx that doesn't have the CVE vulnerability. --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 1d5ca55a..d87aa029 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,7 +3,8 @@ eventlet Jinja2>=2.11 # BSD License (3 clause) jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT # networkx v2.6 does not support Python3.6. Update networkx to match st2 -networkx>=2.5.1,<2.6 +networkx>=2.5.1,<2.6; python_version < '3.7' +networkx>=2.5.1,<3; python_version >= '3.7' python-dateutil PyYAML>=3.1.0 # MIT six>=1.9.0 From 7d0f450bfd56fd674cace5ccaeccaa55e5d5a73f Mon Sep 17 00:00:00 2001 From: amanda Date: Fri, 22 Sep 2023 07:54:53 +0100 Subject: [PATCH 2/8] Python 3.6 not available on ubuntu-latest github workflow --- .github/workflows/tox.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml index 55ddce3f..f9f0dd99 100644 --- a/.github/workflows/tox.yml +++ b/.github/workflows/tox.yml @@ -12,7 +12,8 @@ on: jobs: tests: - runs-on: ubuntu-latest + #python 3.6 not available on ubuntu-latest + runs-on: ubuntu-20.04 strategy: matrix: python-version: ["3.6", "3.8"] From 621b97df94620eb6ddb3e0e0bf92187ea7325f12 Mon Sep 17 00:00:00 2001 From: amanda Date: Fri, 22 Sep 2023 08:01:38 +0100 Subject: [PATCH 3/8] Separate os for python --- .github/workflows/tox.yml | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml index f9f0dd99..652ae17f 100644 --- a/.github/workflows/tox.yml +++ b/.github/workflows/tox.yml @@ -11,12 +11,31 @@ on: - cron: '0 6 * * 1' jobs: - tests: + test_latest: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.8"] + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: "Set up Python ${{ matrix.python-version }}" + uses: actions/setup-python@v2 + with: + python-version: "${{ matrix.python-version }}" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install tox tox-gh-actions + - name: "Run tox for ${{ matrix.python-version }}" + run: | + tox + test_2004: #python 3.6 not available on ubuntu-latest runs-on: ubuntu-20.04 strategy: matrix: - python-version: ["3.6", "3.8"] + python-version: ["3.6"] steps: - name: Checkout repository uses: actions/checkout@v2 From 980fade159ff6b179e8f8369453d90db35ab54d8 Mon Sep 17 00:00:00 2001 From: amanda Date: Fri, 22 Sep 2023 08:04:30 +0100 Subject: [PATCH 4/8] Revert "Separate os for python" This reverts commit 621b97df94620eb6ddb3e0e0bf92187ea7325f12. --- .github/workflows/tox.yml | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml index 652ae17f..f9f0dd99 100644 --- a/.github/workflows/tox.yml +++ b/.github/workflows/tox.yml @@ -11,31 +11,12 @@ on: - cron: '0 6 * * 1' jobs: - test_latest: - runs-on: ubuntu-latest - strategy: - matrix: - python-version: ["3.8"] - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: "Set up Python ${{ matrix.python-version }}" - uses: actions/setup-python@v2 - with: - python-version: "${{ matrix.python-version }}" - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install tox tox-gh-actions - - name: "Run tox for ${{ matrix.python-version }}" - run: | - tox - test_2004: + tests: #python 3.6 not available on ubuntu-latest runs-on: ubuntu-20.04 strategy: matrix: - python-version: ["3.6"] + python-version: ["3.6", "3.8"] steps: - name: Checkout repository uses: actions/checkout@v2 From 75ea41fb16d93bdc127ed31f4165fe2fcd597dbb Mon Sep 17 00:00:00 2001 From: Carlos Date: Fri, 22 Sep 2023 09:11:04 +0200 Subject: [PATCH 5/8] * Bump github actions version to v4. * Fix linting errors. * Use makefile to apply requirements correctly. --- .github/workflows/tox.yml | 11 ++-- docs/source/conf.py | 51 +++++++++---------- .../test_workflow_conductor_data_flow.py | 5 +- orquesta/tests/unit/utils/test_strings.py | 2 +- requirements-ci.txt | 4 ++ 5 files changed, 38 insertions(+), 35 deletions(-) create mode 100644 requirements-ci.txt diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml index f9f0dd99..65e0dd86 100644 --- a/.github/workflows/tox.yml +++ b/.github/workflows/tox.yml @@ -16,18 +16,19 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - python-version: ["3.6", "3.8"] + python-version: ["3.6.15", "3.8.18"] steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: "Set up Python ${{ matrix.python-version }}" - uses: actions/setup-python@v2 + uses: actions/setup-python@v4 with: python-version: "${{ matrix.python-version }}" - name: Install dependencies run: | python -m pip install --upgrade pip - pip install tox tox-gh-actions + pip install -r requirements-ci.txt + make clean reqs schemas - name: "Run tox for ${{ matrix.python-version }}" run: | - tox + make check diff --git a/docs/source/conf.py b/docs/source/conf.py index 4c0402d4..31181470 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -19,14 +19,14 @@ # -- Project information ----------------------------------------------------- -project = u'StackStorm Orquesta' -copyright = u'2018, StackStorm' -author = u'StackStorm' +project = "StackStorm Orquesta" +copyright = "2018-2023, StackStorm" +author = "StackStorm" # The short X.Y version -version = u'' +version = "" # The full version, including alpha/beta/rc tags -release = u'' +release = "" # -- General configuration --------------------------------------------------- @@ -40,27 +40,27 @@ # ones. extensions = [ # Add theme as extension so sitemap.xml is generated - 'sphinx_rtd_theme' + "sphinx_rtd_theme" ] # Add any paths that contain templates here, relative to this directory. -templates_path = ['_templates'] +templates_path = ["_templates"] # The suffix(es) of source filenames. # You can specify multiple suffix as a list of string: # # source_suffix = ['.rst', '.md'] -source_suffix = '.rst' +source_suffix = ".rst" # The master toctree document. -master_doc = 'index' +master_doc = "index" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. -language = None +language = "en" # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. @@ -68,7 +68,7 @@ exclude_patterns = [] # The name of the Pygments (syntax highlighting) style to use. -pygments_style = 'sphinx' +pygments_style = "sphinx" # -- Options for HTML output ------------------------------------------------- @@ -76,7 +76,7 @@ # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # -html_theme = 'sphinx_rtd_theme' +html_theme = "sphinx_rtd_theme" # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the @@ -87,7 +87,7 @@ # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". -html_static_path = ['_static'] +html_static_path = ["_static"] # Custom sidebar templates, must be a dictionary that maps document names # to template names. @@ -103,7 +103,7 @@ # -- Options for HTMLHelp output --------------------------------------------- # Output file base name for HTML help builder. -htmlhelp_basename = 'Orquestadoc' +htmlhelp_basename = "Orquestadoc" # -- Options for LaTeX output ------------------------------------------------ @@ -112,15 +112,12 @@ # The paper size ('letterpaper' or 'a4paper'). # # 'papersize': 'letterpaper', - # The font size ('10pt', '11pt' or '12pt'). # # 'pointsize': '10pt', - # Additional stuff for the LaTeX preamble. # # 'preamble': '', - # Latex figure (float) alignment # # 'figure_align': 'htbp', @@ -130,8 +127,7 @@ # (source start file, target name, title, # author, documentclass [howto, manual, or own class]). latex_documents = [ - (master_doc, 'Orquesta.tex', u'Orquesta Documentation', - u'StackStorm', 'manual'), + (master_doc, "Orquesta.tex", "Orquesta Documentation", "StackStorm", "manual"), ] @@ -139,10 +135,7 @@ # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). -man_pages = [ - (master_doc, 'orquesta', u'Orquesta Documentation', - [author], 1) -] +man_pages = [(master_doc, "orquesta", "Orquesta Documentation", [author], 1)] # -- Options for Texinfo output ---------------------------------------------- @@ -151,7 +144,13 @@ # (source start file, target name, title, author, # dir menu entry, description, category) texinfo_documents = [ - (master_doc, 'Orquesta', u'Orquesta Documentation', - author, 'Orquesta', 'One line description of project.', - 'Miscellaneous'), + ( + master_doc, + "Orquesta", + "Orquesta Documentation", + author, + "Orquesta", + "One line description of project.", + "Miscellaneous", + ), ] diff --git a/orquesta/tests/unit/conducting/test_workflow_conductor_data_flow.py b/orquesta/tests/unit/conducting/test_workflow_conductor_data_flow.py index 02822925..caa8eb07 100644 --- a/orquesta/tests/unit/conducting/test_workflow_conductor_data_flow.py +++ b/orquesta/tests/unit/conducting/test_workflow_conductor_data_flow.py @@ -25,7 +25,6 @@ class WorkflowConductorDataFlowTest(test_base.WorkflowConductorTest): - wf_def_yaql = """ version: 1.0 @@ -157,14 +156,14 @@ def assert_data_flow(self, input_value): def assert_unicode_data_flow(self, input_value): inputs = { - u"a1": ( + "a1": ( str_util.unicode(input_value, encoding_type="utf-8", force=True) if six.PY2 else input_value ) } - expected_output = {u"a5": inputs["a1"], u"b5": inputs["a1"]} + expected_output = {"a5": inputs["a1"], "b5": inputs["a1"]} self._assert_data_flow(inputs, expected_output) diff --git a/orquesta/tests/unit/utils/test_strings.py b/orquesta/tests/unit/utils/test_strings.py index 4817aaa9..0cab37c7 100644 --- a/orquesta/tests/unit/utils/test_strings.py +++ b/orquesta/tests/unit/utils/test_strings.py @@ -28,7 +28,7 @@ def test_unescape(self): def test_unicode(self): self.assertEqual(str_util.unicode(123), 123) self.assertEqual(str_util.unicode("foobar"), "foobar") - self.assertEqual(str_util.unicode(u"fubar" if six.PY2 else str("fubar")), "fubar") + self.assertEqual(str_util.unicode("fubar" if six.PY2 else str("fubar")), "fubar") self.assertEqual(str_util.unicode("鐵甲奇俠"), "鐵甲奇俠") self.assertEqual(str_util.unicode("\xe9\x90\xb5\xe7\x94\xb2"), "\xe9\x90\xb5\xe7\x94\xb2") diff --git a/requirements-ci.txt b/requirements-ci.txt new file mode 100644 index 00000000..3fa96f9a --- /dev/null +++ b/requirements-ci.txt @@ -0,0 +1,4 @@ +# Different versions of tox are required by python version +tox-gh-actions +tox==3.28.0 ; python_version == "3.6" +tox==4.6.4 ; python_version == "3.8" From 8f34e5178efe5c17226a943b8b6ac4bb930dc786 Mon Sep 17 00:00:00 2001 From: amanda Date: Fri, 22 Sep 2023 16:41:16 +0100 Subject: [PATCH 6/8] Try with just minor version of python --- .github/workflows/tox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tox.yml b/.github/workflows/tox.yml index 65e0dd86..b47e8ca1 100644 --- a/.github/workflows/tox.yml +++ b/.github/workflows/tox.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-20.04 strategy: matrix: - python-version: ["3.6.15", "3.8.18"] + python-version: ["3.6", "3.8"] steps: - name: Checkout repository uses: actions/checkout@v4 From 487c43b7c38079176738fc40dc53ba2864780901 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Mon, 25 Sep 2023 11:37:42 +0100 Subject: [PATCH 7/8] Update networkx >=2.6 for py3.8 --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index d87aa029..6bcb3c96 100644 --- a/requirements.txt +++ b/requirements.txt @@ -4,7 +4,7 @@ Jinja2>=2.11 # BSD License (3 clause) jsonschema!=2.5.0,<3.0.0,>=2.0.0 # MIT # networkx v2.6 does not support Python3.6. Update networkx to match st2 networkx>=2.5.1,<2.6; python_version < '3.7' -networkx>=2.5.1,<3; python_version >= '3.7' +networkx>=2.6,<3; python_version >= '3.7' python-dateutil PyYAML>=3.1.0 # MIT six>=1.9.0 From 7dadd4cfa0e01a2fd65a545fbcdaad363bee4c68 Mon Sep 17 00:00:00 2001 From: Eugen C <1533818+armab@users.noreply.github.com> Date: Mon, 25 Sep 2023 11:41:24 +0100 Subject: [PATCH 8/8] Add a changelog for networkx update --- CHANGELOG.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4a89f8bf..d8fe90e9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,15 @@ Changelog ========= +In Development +-------------- + +Changed +~~~~~~~ + +* Update networkx >=2.6 for Python 3.8 to fix insecure deserialization #255 (improvement) + Contributed by @Stealthii + 1.5.0 -----