Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade django from 3.1.12 to 3.2.19 #32

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade django from 3.1.12 to 3.2.19 #32

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

@snyk-bot snyk-bot commented May 5, 2023

Snyk has created this PR to fix one or more vulnerable packages in the `pip` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pygoat/requirements.txt
⚠️ Warning 
Django 3.2.19 has requirement asgiref<4,>=3.3.2, but you have asgiref 3.2.7.

Vulnerabilities that will be fixed

By pinning:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity
medium severity 551/1000
Why? Recently disclosed, Has a fix available, CVSS 5.3		 Arbitrary File Upload
SNYK-PYTHON-DJANGO-5496950		 django:
3.1.12 -> 3.2.19
No No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Some vulnerabilities couldn't be fully fixed and so Snyk will still find them when the project is tested again. This may be because the vulnerability existed within more than one direct dependency, but not all of the affected dependencies could be upgraded.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@snyk-bot
fix: pygoat/requirements.txt to reduce vulnerabilities
a167c22 
The following vulnerabilities are fixed by pinning transitive dependencies:
- https://snyk.io/vuln/SNYK-PYTHON-DJANGO-5496950
@msant262
Copy link
Collaborator

msant262 commented May 5, 2023

Logo
Checkmarx One – Scan Summary & Detailsf3569b9d-a09e-41c0-9ad0-4293321b1d37

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH Command_Injection /pygoat/introduction/views.py: 300 Attack Vector
HIGH Command_Injection /pygoat/introduction/views.py: 303 Attack Vector
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Missing User Instruction /Dockerfile: 1 A user should be specified in the dockerfile, otherwise the image will run as root
HIGH Reflected_XSS_All_Clients /pygoat/introduction/views.py: 205 Attack Vector
HIGH Reflected_XSS_All_Clients /pygoat/introduction/views.py: 341 Attack Vector
HIGH SQL_Injection /pygoat/introduction/views.py: 78 Attack Vector
HIGH SQL_Injection /pygoat/introduction/views.py: 76 Attack Vector
HIGH Stored_XSS /pygoat/introduction/views.py: 190 Attack Vector
HIGH Stored_XSS /pygoat/introduction/views.py: 218 Attack Vector
HIGH Stored_XSS /pygoat/introduction/views.py: 205 Attack Vector
HIGH Unsafe_Deserialization /pygoat/introduction/views.py: 116 Attack Vector
HIGH Unsafe_Deserialization /pygoat/introduction/views.py: 116 Attack Vector
HIGH Unsafe_Deserialization /pygoat/introduction/views.py: 113 Attack Vector
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 5 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile: 8 When installing a package, its pin version should be defined
MEDIUM CVE-2023-30608 Python-sqlparse-0.3.1 Vulnerable Package
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 6 Incoming container traffic should be bound to a specific host interface
MEDIUM Container Traffic Not Bound To Host Interface /docker-compose.yml: 16 Incoming container traffic should be bound to a specific host interface
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 216 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 215 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 189 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 188 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 187 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 205 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 361 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 116 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 343 Attack Vector
MEDIUM Cookie_Poisoning /pygoat/introduction/views.py: 343 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 148 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 341 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 159 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 428 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 244 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 202 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 182 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 73 Attack Vector
MEDIUM Django_Missing_Object_Level_Authorization /pygoat/introduction/views.py: 52 Attack Vector
MEDIUM Healthcheck Not Set /docker-compose.yml: 2 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 12 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 23 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 4 Check containers periodically to see if they are running properly.
MEDIUM Healthcheck Not Set /docker-compose.yml: 14 Check containers periodically to see if they are running properly.
MEDIUM Host Namespace is Shared /docker-compose.yml: 2 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 14 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 4 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 12 The hosts process namespace should not be shared by containers
MEDIUM Host Namespace is Shared /docker-compose.yml: 23 The hosts process namespace should not be shared by containers
MEDIUM Improper_Restriction_of_XXE_Ref /pygoat/introduction/views.py: 161 Attack Vector
MEDIUM Memory Not Limited /docker-compose.yml: 12 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 23 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Memory Not Limited /docker-compose.yml: 4 Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t...
MEDIUM Missing_HSTS_Header /pygoat/pygoat/settings.py: 1 Attack Vector
MEDIUM Missing_Secure_In_Config /pygoat/introduction/views.py: 222 Attack Vector
MEDIUM Missing_Secure_In_Config /pygoat/introduction/views.py: 208 Attack Vector
MEDIUM Missing_Secure_In_Config /pygoat/introduction/views.py: 194 Attack Vector
MEDIUM Missing_Secure_In_Config /pygoat/pygoat/settings.py: 1 Attack Vector
MEDIUM Networks Not Set /docker-compose.yml: 12 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 4 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 2 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 23 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Networks Not Set /docker-compose.yml: 14 Setting networks in services ensures you are not using dockers default bridge (docker0), which shares traffic bewteen all containers.
MEDIUM Pip install Keeping Cached Packages /Dockerfile: 23 When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
MEDIUM Pip install Keeping Cached Packages /Dockerfile: 9 When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
MEDIUM Pip install Keeping Cached Packages /Dockerfile: 14 When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
MEDIUM Pip install Keeping Cached Packages /Dockerfile: 20 When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller
MEDIUM Privacy_Violation /pygoat/introduction/views.py: 216 Attack Vector
MEDIUM Security Opt Not Set /docker-compose.yml: 2 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 14 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 12 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 23 Attribute 'security_opt' should be defined.
MEDIUM Security Opt Not Set /docker-compose.yml: 4 Attribute 'security_opt' should be defined.
MEDIUM Unchecked_Input_for_Loop_Condition /pygoat/introduction/views.py: 163 Attack Vector
MEDIUM Uncontrolled_Format_String /pygoat/introduction/views.py: 303 Attack Vector
MEDIUM Unpinned Package Version in Pip Install /Dockerfile: 23 Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
MEDIUM Unpinned Package Version in Pip Install /Dockerfile: 14 Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
MEDIUM Unpinned Package Version in Pip Install /Dockerfile: 20 Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes
MEDIUM Update Instruction Alone /Dockerfile: 7 Instruction 'RUN update' should always be followed by ' install' in the same RUN statement
MEDIUM Use_of_Hardcoded_Cryptographic_Key /pygoat/pygoat/settings.py: 25 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 15 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 177 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 175 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 173 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 21 Attack Vector
LOW Client_Hardcoded_Domain /pygoat/introduction/templates/introduction/base.html: 20 Attack Vector
LOW Command_Argument_Injection /pygoat/introduction/views.py: 300 Attack Vector
LOW Command_Argument_Injection /pygoat/manage.py: 18 Attack Vector
LOW Container Capabilities Unrestricted /docker-compose.yml: 23 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 12 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 14 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 4 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Container Capabilities Unrestricted /docker-compose.yml: 2 Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa...
LOW Cpus Not Limited /docker-compose.yml: 12 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 23 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Cpus Not Limited /docker-compose.yml: 4 CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests
LOW Debug_Enabled /pygoat/pygoat/settings.py: 30 Attack Vector
LOW Django_Missing_Function_Level_Authorization /pygoat/introduction/views.py: 341 Attack Vector
LOW Django_Missing_Function_Level_Authorization /pygoat/introduction/views.py: 230 Attack Vector
LOW Django_Missing_Function_Level_Authorization /pygoat/introduction/views.py: 202 Attack Vector
LOW Django_Missing_Function_Level_Authorization /pygoat/introduction/views.py: 182 Attack Vector
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Missing_Content_Security_Policy /pygoat/pygoat/settings.py: 1 Attack Vector
LOW Missing_Content_Security_Policy /pygoat/pygoat/settings.py: 54 Attack Vector
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 9 Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
LOW Multiple RUN, ADD, COPY, Instructions Listed /Dockerfile: 7 Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
LOW Potential_Clickjacking_on_Legacy_Browsers /pygoat/introduction/templates/introduction/base.html: 1 Attack Vector
LOW Use_Of_Hardcoded_Password /pygoat/introduction/views.py: 385 Attack Vector
LOW Use_Of_Hardcoded_Password /pygoat/pygoat/settings.py: 25 Attack Vector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@snyk-bot @msant262