Merge pull request #556 from eventcally/issues/555

Security updates #555
2026-03-13 00:07:22 +00:00 · 2023-10-31 22:57:59 +01:00 · 2023-10-31 22:57:59 +01:00 · 705bb4bf0b
commit 705bb4bf0b
parent 2dcb80793a 57a239df90
5 changed files with 27 additions and 14 deletions
--- a/requirements.txt
+++ b/requirements.txt
@ -19,7 +19,7 @@ blinker==1.4
 cached-property==1.5.2
 cachetools==5.3.0
 celery==5.2.7
-certifi==2022.12.7
+certifi==2023.7.22
 cffi==1.14.4
 cfgv==3.2.0
 chardet==3.0.4
@ -30,7 +30,7 @@ click-repl==0.2.0
 colour==0.1.5
 coverage==5.5
 coveralls==3.3.1
-cryptography==41.0.3
+cryptography==41.0.4
 decorator==5.1.0
 distlib==0.3.6
 dnspython==2.0.0
@ -47,7 +47,7 @@ Flask-Bootstrap==3.3.7.1
 Flask-Cors==3.0.10
 Flask-Dance==6.2.0
 Flask-gzip==0.2
-Flask-Login==0.6.2
+Flask-Login==0.6.3
 Flask-Mail==0.9.1
 flask-marshmallow==0.15.0
 Flask-Migrate==4.0.4
@ -56,7 +56,7 @@ Flask-QRcode==3.1.0
 Flask-RESTful==0.3.9
 Flask-Security-Too==5.1.2
 Flask-SQLAlchemy==3.0.3
-Flask-WTF==1.1.1
+Flask-WTF==1.2.1
 GeoAlchemy2==0.13.1
 googlemaps==4.10.0
 greenlet==2.0.2
@ -87,7 +87,7 @@ packaging==23.0
 passlib==1.7.4
 pathspec==0.11.0
 pilkit==2.0
-Pillow==9.5.0
+Pillow==10.0.1
 pipdeptree==2.7.0
 pkginfo==1.9.6
 platformdirs==3.1.0
@ -133,7 +133,7 @@ toml==0.10.2
 tomli==2.0.1
 typed-ast==1.5.4
 typing_extensions==4.5.0
-urllib3==1.26.5
+urllib3==1.26.18
 URLObject==2.4.3
 validators==0.20.0
 vine==5.0.0
@ -141,7 +141,7 @@ virtualenv==20.21.0
 visitor==0.1.3
 wcwidth==0.2.6
 webargs==7.0.1
-Werkzeug==2.2.3
+Werkzeug==3.0.1
 wimpy==0.6
 WTForms==3.0.1
 WTForms-SQLAlchemy==0.3
--- a/tests/utils.py
+++ b/tests/utils.py
@ -5,6 +5,7 @@ from urllib.parse import parse_qs, urlsplit
 import googlemaps
 from bs4 import BeautifulSoup
 from flask import g, url_for
+from flask_login import login_url
 from sqlalchemy.exc import IntegrityError


@ -312,13 +313,24 @@ class UtilActions(object):
        return self.get_ok(self.get_url(endpoint, **values))

    def assert_response_redirect(self, response, endpoint, **values):
-        assert response.status_code == 302
+        redirect_url = self.get_url(endpoint, **values)
+        self.assert_response_redirect_to_url(response, redirect_url)
+
+    def assert_response_redirect_to_url(self, response, redirect_url):
+        absolute_url = "http://localhost" + redirect_url

        response_location = response.headers["Location"]
-        redirect_url = self.get_url(endpoint, **values)
-        absolute_url = "http://localhost" + redirect_url
        assert response_location == redirect_url or response_location == absolute_url

+    def assert_response_redirect_to_login(self, response, next_url):
+        assert response.status_code == 302
+
+        with self._client:
+            with self._app.test_request_context():
+                redirect_url = login_url("security.login", next_url)
+
+        self.assert_response_redirect_to_url(response, redirect_url)
+
    def assert_response_contains_alert(self, response, category, message=None):
        assert response.status_code == 200

--- a/tests/views/test_admin_unit_member_invitation.py
+++ b/tests/views/test_admin_unit_member_invitation.py
@ -224,7 +224,7 @@ def test_read_new_member_not_authenticated(client, app, utils, seeder):

    url = "/invitations/%d" % invitation_id
    response = client.get(url)
-    utils.assert_response_redirect(response, "security.login", next=url)
+    utils.assert_response_redirect_to_login(response, url)


@pytest.mark.parametrize("user_exists", [True, False])
--- a/tests/views/test_manage.py
+++ b/tests/views/test_manage.py
@ -18,7 +18,7 @@ def test_index_withValidCookie(client, seeder, app, utils):

    with app.app_context():
        encoded = encode_cookie(str(admin_unit_id))
-        client.set_cookie("localhost", "manage_admin_unit_id", encoded)
+        client.set_cookie("manage_admin_unit_id", encoded)

    response = utils.get_endpoint("manage")
    utils.assert_response_redirect(response, "manage_admin_unit", id=admin_unit_id)
@ -26,7 +26,7 @@ def test_index_withValidCookie(client, seeder, app, utils):

 def test_index_withInvalidCookie(client, seeder: Seeder, utils: UtilActions):
    user_id, admin_unit_id = seeder.setup_base()
-    client.set_cookie("localhost", "manage_admin_unit_id", "invalid")
+    client.set_cookie("manage_admin_unit_id", "invalid")

    response = utils.get_endpoint("manage")
    utils.assert_response_redirect(response, "manage_admin_units")
--- a/tests/views/test_user.py
+++ b/tests/views/test_user.py
@ -27,8 +27,9 @@ def test_organization_invitation_not_authenticated(client, app, utils, seeder):

    seeder.create_user("invited@test.de")
    url = utils.get_url("user_organization_invitation", id=invitation_id)
+
    response = client.get(url)
-    utils.assert_response_redirect(response, "security.login", next=url)
+    utils.assert_response_redirect_to_login(response, url)


@pytest.mark.parametrize("user_exists", [True, False])