Merge branch 'main' into 1228-fixed-affected-version-matching #1228

johnmhoran · johnmhoran · commit 7a512c278b85 · 2023-11-28T11:55:25.000-08:00
Reference: #1228 Signed-off-by: John M. Horan johnmhoran@gmail.com
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,16 @@ Release notes
 =============
 
 
+Version v33.6.3
+----------------
+
+- We updated RTD build configuration.
+- We added importer for OSS-Fuzz.
+- We removed vulnerabilities with empty aliases.
+- We fixed search encoding issue https://github.com/nexB/vulnerablecode/issues/1336.
+- We added middleware to ban "bytedance" user-agent.
+
+
 Version v33.6.2
 ----------------
 
diff --git a/setup.cfg b/setup.cfg
@@ -1,6 +1,6 @@
 [metadata]
 name = vulnerablecode
-version = 33.6.2
+version = 33.6.3
 license = Apache-2.0 AND CC-BY-SA-4.0
 
 # description must be on ONE line https://github.com/pypa/setuptools/issues/1390
diff --git a/vulnerabilities/improvers/__init__.py b/vulnerabilities/improvers/__init__.py
@@ -8,7 +8,8 @@
 #
 
 from vulnerabilities.improvers import valid_versions
-from vulnerabilities.improvers import vulnerability_status
+
+# from vulnerabilities.improvers import vulnerability_status
 
 IMPROVERS_REGISTRY = [
     valid_versions.GitHubBasicImprover,
@@ -24,7 +25,7 @@
     valid_versions.DebianOvalImprover,
     valid_versions.UbuntuOvalImprover,
     valid_versions.OSSFuzzImprover,
-    vulnerability_status.VulnerabilityStatusImprover,
+    # vulnerability_status.VulnerabilityStatusImprover,
 ]
 
 IMPROVERS_REGISTRY = {x.qualified_name: x for x in IMPROVERS_REGISTRY}
diff --git a/vulnerabilities/middleware/ban_user_agent.py b/vulnerabilities/middleware/ban_user_agent.py
@@ -0,0 +1,18 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+
+from django.http import HttpResponseNotFound
+from django.utils.deprecation import MiddlewareMixin
+
+
+class BanUserAgent(MiddlewareMixin):
+    def process_request(self, request):
+        user_agent = request.META.get("HTTP_USER_AGENT", None)
+        if user_agent and "bytedance" in user_agent:
+            return HttpResponseNotFound(404)
diff --git a/vulnerabilities/templates/includes/pagination.html b/vulnerabilities/templates/includes/pagination.html
@@ -1,20 +1,20 @@
 <nav class="pagination is-centered is-small" aria-label="pagination">
   {% if page_obj.has_previous %}
-    <a href="?page={{ page_obj.previous_page_number }}&search={{ search }}" class="pagination-previous">Previous</a>
+  <a href="?page={{ page_obj.previous_page_number }}&search={{ search|urlencode }}" class="pagination-previous">Previous</a>
   {% else %}
     <a class="pagination-previous" disabled>Previous</a>
   {% endif %}
 
   {% if page_obj.has_next %}
-    <a href="?page={{ page_obj.next_page_number }}&search={{ search }}" class="pagination-next">Next</a>
+    <a href="?page={{ page_obj.next_page_number }}&search={{ search|urlencode }}" class="pagination-next">Next</a>
   {% else %}
     <a class="pagination-next" disabled>Next</a>
   {% endif %}
 
   <ul class="pagination-list">
     {% if page_obj.number != 1%}
       <li>
-        <a href="?page=1&search={{ search }}" class="pagination-link" aria-label="Goto page 1">1</a>
+        <a href="?page=1&search={{ search|urlencode }}" class="pagination-link" aria-label="Goto page 1">1</a>
       </li>
       {% if page_obj.number > 2 %}
         <li>
@@ -32,7 +32,7 @@
         </li>
       {% endif %}
       <li>
-        <a href="?page={{ page_obj.paginator.num_pages }}&search={{ search }}" class="pagination-link" aria-label="Goto page {{ page_obj.paginator.num_pages }}">{{ page_obj.paginator.num_pages }}</a>
+        <a href="?page={{ page_obj.paginator.num_pages }}&search={{ search|urlencode }}" class="pagination-link" aria-label="Goto page {{ page_obj.paginator.num_pages }}">{{ page_obj.paginator.num_pages }}</a>
       </li>
     {% endif %}
   </ul>
diff --git a/vulnerabilities/tests/test_api.py b/vulnerabilities/tests/test_api.py
@@ -743,3 +743,9 @@ def test_with_invalid_cpes(self):
             content_type="application/json",
         ).json()
         assert response == {"Error": "Invalid CPE: CVE-2022-2022"}
+
+
+class TesBanUserAgent(TestCase):
+    def test_ban_request_with_bytedance_user_agent(self):
+        response = self.client.get(f"/api/packages", format="json", HTTP_USER_AGENT="bytedance")
+        assert 404 == response.status_code
diff --git a/vulnerablecode/__init__.py b/vulnerablecode/__init__.py
@@ -12,7 +12,7 @@
 import warnings
 from pathlib import Path
 
-__version__ = "33.6.2"
+__version__ = "33.6.3"
 
 
 def command_line():
diff --git a/vulnerablecode/settings.py b/vulnerablecode/settings.py
@@ -89,6 +89,7 @@
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "vulnerabilities.middleware.ban_user_agent.BanUserAgent",
 )
 
 ROOT_URLCONF = "vulnerablecode.urls"

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@`
`89`	`89`	`"django.contrib.auth.middleware.AuthenticationMiddleware",`
`90`	`90`	`"django.contrib.messages.middleware.MessageMiddleware",`
`91`	`91`	`"django.middleware.clickjacking.XFrameOptionsMiddleware",`
	`92`	`+ "vulnerabilities.middleware.ban_user_agent.BanUserAgent",`
`92`	`93`	`)`
`93`	`94`
`94`	`95`	`ROOT_URLCONF = "vulnerablecode.urls"`