Merge #3138

3138: Update dependencies and re-enable flask toolbar r=nextgens a=ghostwheel42 ## What type of PR? bug-fix ## What does this PR do? Update python dependencies to versions without known security vulnerabilities. Also re-enable flask debug toolbar which was disabled earlier. werkzeug < 2.3.8: CVE-2023-46136 aiohttp < 3.9.0: CVE-2023-49081 CVE-2023-49082 cryptography >= 3.1 < 41.0.6: CVE-2023-49083 jinja2 < 3.1.3: CVE-2024-22195 Co-authored-by: Alexander Graf <ghostwheel42@users.noreply.github.com>
2025-06-04 23:27:34 +02:00 · 2024-02-29 17:45:16 +00:00 · 2024-02-29 17:45:16 +00:00 · 1612b11e62
commit 1612b11e62
parent d752e96805 a1e395c581
6 changed files with 65 additions and 63 deletions
--- a/core/admin/mailu/debug.py
+++ b/core/admin/mailu/debug.py
@ -1,11 +1,10 @@
-#Note: Currently flask_debugtoolbar is not compatible with flask.
-#import flask_debugtoolbar
+import flask_debugtoolbar

 from werkzeug.middleware.profiler import ProfilerMiddleware


 # Debugging toolbar
-#toolbar = flask_debugtoolbar.DebugToolbarExtension()
+toolbar = flask_debugtoolbar.DebugToolbarExtension()


 # Profiler
--- a/core/admin/mailu/models.py
+++ b/core/admin/mailu/models.py
@ -14,6 +14,7 @@ import passlib.context
 import passlib.hash
 import passlib.registry
 import time
+import logging
 import os
 import smtplib
 import idna
@ -30,6 +31,10 @@ from werkzeug.utils import cached_property
 from mailu import dkim, utils


+# silence AttributeError: module 'bcrypt' has no attribute '__about__'
+logging.getLogger('passlib').setLevel(logging.ERROR)
+
+
 db = flask_sqlalchemy.SQLAlchemy()


@ -159,13 +164,6 @@ class Base(db.Model):
        flag_modified(self, 'updated_at')


-# Many-to-many association table for domain managers
-managers = db.Table('manager', Base.metadata,
-    db.Column('domain_name', IdnaDomain, db.ForeignKey('domain.name')),
-    db.Column('user_email', IdnaEmail, db.ForeignKey('user.email'))
-)
-
-
 class Config(Base):
    """ In-database configuration values
    """
@ -180,6 +178,10 @@ def _save_dkim_keys(session):
        if isinstance(obj, Domain):
            obj.save_dkim_key()

+def _get_managers():
+    return managers
+
+
 class Domain(Base):
    """ A DNS domain that has mail addresses associated to it.
    """
@ -187,7 +189,7 @@ class Domain(Base):
    __tablename__ = 'domain'

    name = db.Column(IdnaDomain, primary_key=True, nullable=False)
-    managers = db.relationship('User', secondary=managers,
+    managers = db.relationship('User', secondary=_get_managers,
        backref=db.backref('manager_of'), lazy='dynamic')
    max_users = db.Column(db.Integer, nullable=False, default=-1)
    max_aliases = db.Column(db.Integer, nullable=False, default=-1)
@ -790,6 +792,13 @@ class Fetch(Base):
        )


+# Many-to-many association table for domain managers
+managers = db.Table('manager', Base.metadata,
+    db.Column('domain_name', IdnaDomain, db.ForeignKey(Domain.name)),
+    db.Column('user_email', IdnaEmail, db.ForeignKey(User.email))
+)
+
+
 class MailuConfig:
    """ Class which joins whole Mailu config for dumping
        and loading
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@ -9,8 +9,7 @@ import flask
 import flask_login
 import secrets
 import ipaddress
-from urllib.parse import urlparse, urljoin
-from werkzeug.urls import url_unquote
+from urllib.parse import urlparse, urljoin, unquote

@sso.route('/login', methods=['GET', 'POST'])
 def login():
@ -120,8 +119,7 @@ def _has_usable_redirect(is_proxied=False):
    if 'homepage' in flask.request.url and not is_proxied:
        return None
    if url := flask.request.args.get('url'):
-        url = url_unquote(url)
-        target = urlparse(urljoin(flask.request.url, url))
+        target = urlparse(urljoin(flask.request.url, unquote(url)))
        if target.netloc == urlparse(flask.request.url).netloc:
            return target.geturl()
    return None
--- a/core/admin/mailu/utils.py
+++ b/core/admin/mailu/utils.py
@ -412,8 +412,8 @@ class MailuSessionInterface(SessionInterface):
        # save session and update cookie if necessary
        if session.save():
            response.set_cookie(
-               app.config['SESSION_COOKIE_NAME'],
-                session.sid,
+                app.config['SESSION_COOKIE_NAME'],
+                session.sid.decode('ascii'),
                expires=datetime.now()+timedelta(seconds=app.config['PERMANENT_SESSION_LIFETIME']),
                httponly=self.get_cookie_httponly(app),
                domain=self.get_cookie_domain(app),
--- a/core/base/requirements-dev.txt
+++ b/core/base/requirements-dev.txt
@ -16,7 +16,7 @@ Flask-Login
 flask-marshmallow
 Flask-Migrate
 Flask-RESTX
-Flask-SQLAlchemy<3
+Flask-SQLAlchemy
 Flask-WTF
 gunicorn
 idna
--- a/core/base/requirements-prod.txt
+++ b/core/base/requirements-prod.txt
@ -1,68 +1,64 @@
 aiodns==3.1.1
-aiohttp==3.8.6
+aiohttp==3.9.1
 aiosignal==1.3.1
-alembic==1.12.1
+alembic==1.13.1
 aniso8601==9.0.1
-async-timeout==4.0.3
-attrs==23.1.0
-Babel==2.13.1
-bcrypt==4.0.1
-blinker==1.6.3
-certifi==2023.7.22
+attrs==23.2.0
+Babel==2.14.0
+bcrypt==4.1.2
+blinker==1.7.0
+certifi==2023.11.17
 cffi==1.16.0
-charset-normalizer==3.3.1
+charset-normalizer==3.3.2
 click==8.1.7
 colorclass==2.2.2
-cryptography==41.0.5
+cryptography==41.0.7
 defusedxml==0.7.1
 Deprecated==1.2.14
-dnspython==2.4.2
-dominate==2.8.0
+dnspython==2.5.0
+dominate==2.9.1
 easygui==0.98.3
 email-validator==2.1.0.post1
-Flask==2.3.3
+Flask==3.0.1
 flask-babel==4.0.0
 Flask-Bootstrap==3.3.7.1
-#Flask-DebugToolbar is not compatible with Flask 2.3.3+
-#Flask-DebugToolbar==0.13.1
+Flask-DebugToolbar==0.14.1
 Flask-Login==0.6.3
-flask-marshmallow==0.15.0
+flask-marshmallow==1.1.0
 Flask-Migrate==4.0.5
-flask-restx==1.1.0
-Flask-SQLAlchemy==2.5.1
-# >2.5.1 bug with parsing models.py. Could otherwise be 3.0.5
+flask-restx==1.3.0
+Flask-SQLAlchemy==3.1.1
 Flask-WTF==1.2.1
-frozenlist==1.4.0
-greenlet==3.0.1
+frozenlist==1.4.1
+greenlet==3.0.3
 gunicorn==21.2.0
-idna==3.4
-importlib-resources==6.1.0
+idna==3.6
+importlib-resources==6.1.1
 infinity==1.5
 intervals==0.9.2
 itsdangerous==2.1.2
-Jinja2==3.1.2
-jsonschema==4.19.2
-jsonschema-specifications==2023.7.1
-limits==3.6.0
-Mako==1.2.4
-MarkupSafe==2.1.3
-marshmallow==3.20.1
-marshmallow-sqlalchemy==0.29
-msoffcrypto-tool==5.1.1
+Jinja2==3.1.3
+jsonschema==4.21.1
+jsonschema-specifications==2023.12.1
+limits==3.7.0
+Mako==1.3.0
+MarkupSafe==2.1.4
+marshmallow==3.20.2
+marshmallow-sqlalchemy==0.30.0
+msoffcrypto-tool==5.3.1
 multidict==6.0.4
-mysql-connector-python==8.2.0
-olefile==0.46
+mysql-connector-python==8.3.0
+olefile==0.47
 oletools==0.60.1
 packaging==23.2
 passlib==1.7.4
 pcodedmp==1.2.6
 podop @ file:///app/libs/podop
 postfix-mta-sts-resolver==1.4.0
-protobuf==4.21.12
 psycopg2-binary==2.9.9
 pycares==4.4.0
 pycparser==2.21
-Pygments==2.16.1
+Pygments==2.17.2
 pyparsing==2.4.7
 python-dateutil==2.8.2
 python-magic==0.4.27
@ -70,24 +66,24 @@ pytz==2023.3.post1
 PyYAML==6.0.1
 Radicale==3.1.8
 redis==5.0.1
-referencing==0.30.2
+referencing==0.32.1
 requests==2.31.0
-rpds-py==0.10.6
+rpds-py==0.17.1
 six==1.16.0
 socrate @ file:///app/libs/socrate
-SQLAlchemy==1.4.50
+SQLAlchemy==2.0.25
 srslib==0.1.4
 tabulate==0.9.0
 tenacity==8.2.3
-typing_extensions==4.8.0
-urllib3==2.0.7
+typing_extensions==4.9.0
+urllib3==2.1.0
 validators==0.22.0
 visitor==0.1.3
 vobject==0.9.6.1
 watchdog==3.0.0
-Werkzeug===2.3.7
-wrapt==1.15.0
-WTForms==3.1.1
+Werkzeug==3.0.1
+wrapt==1.16.0
+WTForms==3.1.2
 WTForms-Components==0.10.5
 xmltodict==0.13.0
-yarl==1.9.2
+yarl==1.9.4