[Aikido] Fix 2 critical issues in pyyaml and 12 other issues#46
Open
aikido-autofix[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Upgrade PyYAML, urllib3, and requests to fix critical RCE vulnerabilities in YAML deserialization and high-severity DoS/SSL verification issues. This update includes breaking changes that require manual migration.
1.
requests.packages.urllib3Access Pattern (urllib3 2.0.0 + requests 2.16.0)Where your code is affected:
elastalert/alerts.pylines ~2850 and ~3450 (HipChatAlerter and StrideAlerter classes)Impact:
The code uses
requests.packages.urllib3.disable_warnings()to suppress SSL warnings. Since requests 2.16.0 unvendored urllib3,requests.packages.urllib3no longer exists and will raise anAttributeError.Remediation:
Replace
requests.packages.urllib3.disable_warnings()with direct urllib3 import:import urllib3; urllib3.disable_warnings().Python Version Compatibility Issues
2. Python 2.7 Support Dropped (urllib3 2.0.0 + requests 2.28.0)
Where your code is affected:
setup.pyline 17 declares Python 2.7 supportMultiple files throughout the codebase use Python 2-only syntax
Impact:
The codebase is written for Python 2.7 (uses
basestring,unicode(),.iteritems(),HTMLParserfrom Python 2 location, etc.). Both urllib3 2.0.0+ and requests 2.28.0+ dropped Python 2.7 support entirely. The packages will fail to install or run on Python 2.7.Remediation:
Either maintain urllib3 < 2.0.0 and requests < 2.28.0, or migrate the entire codebase to Python 3 (requires updating all Python 2 syntax including basestring, unicode, iteritems, HTMLParser imports, etc.).
3. Python 3.5 and 3.6 Support Dropped (urllib3 2.0.0 + requests 2.26.0/2.28.0)
Where your code is affected:
Impact:
If running on Python 3.5 or 3.6, the upgraded packages will not be compatible.
Remediation:
Upgrade to Python 3.7+ if migrating away from Python 2.7.
All breaking changes by upgrading urllib3 from version 1.23 to 2.7.0 (CHANGELOG)
All breaking changes by upgrading requests from version 2.0.0 to 2.34.0 (CHANGELOG)
ContentDecodingError. Raised instead ofurllib3DecodeErrorexceptions.timeoutparameter now affects requests with bothstream=Trueandstream=Falseequally.jsonparameter topost()and friends will now only be used if neitherdatanorfilesare present, consistent with the documentation.HTTPAdapterhad been configured to use a blocking connection pool.iter_contentonly accepts integers andNonefor chunk sizes.TypeErrorwhen attempting to decode a JSON response that occurred in an error case. Now correctly returns aValueError.IOError, rather than failing at the time of the HTTPS request with a fairly inscrutable certificate validation error.HTTPDigestAuthto only respond to auth challenges made on 4XX responses, rather than to all auth challenges.allow_redirectsis True.requests[security]extra is officially deprecated and will be removed in Requests v2.26.0.chardet, use the MIT-licensedcharset_normalizerfor Python3 to remove license ambiguity for projects bundling requests.idna3.x on Python 3.idna2.x will continue to be used on Python 2 installations.CURL_CA_BUNDLEto an empty string would disable cert verification. All Requests 2.x versions before 2.28.0 are affected.Proxy-Authorizationheaders to destination servers when following HTTPS redirects.verify=Falseon the first request from a Session will cause subsequent requests to the same origin to also ignore cert verification, regardless of the value ofverify.requests.utils.extract_zipped_pathsnow extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly.✅ 14 CVEs resolved by this upgrade, including 2 critical 🚨 CVEs
This PR will resolve the following CVEs:
Proxy-Authorizationheader is not stripped during cross-origin redirects when set manually without using urllib3's proxy support, potentially leaking authentication credentials to malicious origins. This vulnerability requires manual header configuration, enabled redirects, and specific redirect conditions to be exploited.no_proxymatching logic allows attackers to bypass proxy-based egress controls by using lookalike domain names that match suffix patterns without respecting domain boundaries. This enables direct connections that circumvent SSRF protections and proxy-based security controls.🔗 Related Tasks