NXDRIVE-2933: Fix ReDoS in py library when used with subversion

docs/changes/5.5.0.md

@@ -4,7 +4,7 @@ Release date: `2024-xx-xx`
 
 ## Core
 
-- [NXDRIVE-2](https://jira.nuxeo.com/browse/NXDRIVE-2):
+- [NXDRIVE-2920](https://jira.nuxeo.com/browse/NXDRIVE-2920): Upgrade to TLS 1.2
 
 ### Direct Edit
 
@@ -20,19 +20,38 @@ Release date: `2024-xx-xx`
 
 ## Packaging / Build
 
-- [NXDRIVE-2](https://jira.nuxeo.com/browse/NXDRIVE-2):
+- [NXDRIVE-2927](https://jira.nuxeo.com/browse/NXDRIVE-2927): Fix Security issue Black vulnerable to Regular Expression Denial of Service (ReDoS)
+- [NXDRIVE-2928](https://jira.nuxeo.com/browse/NXDRIVE-2928): Fix security issue IDNA vulnerable to denial of service from specially crafted inputs to idna.encode
+- [NXDRIVE-2936] (https://jira.nuxeo.com/browse/NXDRIVE-2936): Fix security issue Requests Session object does not verify requests after making first request with verify=False
 
 ## Tests
 
-- [NXDRIVE-2](https://jira.nuxeo.com/browse/NXDRIVE-2):
+- [NXDRIVE-2933](https://jira.nuxeo.com/browse/NXDRIVE-2933): Fix redos in py library when used with subversion
 
 ## Docs
 
 - [NXDRIVE-2](https://jira.nuxeo.com/browse/NXDRIVE-2):
 
 ## Minor Changes
 
--
+- Added `cachetools` 5.3.3
+- Added `pyproject-api` 1.6.1
+- Removed `py` 1.10.0
+- Removed `pytest-forked` 1.6.0
+- Upgraded `black` from 23.12.1 to 24.4.2
+- Upgraded `chardet` from 4.0.0 to 5.2.0
+- Upgraded `filelock` from 3.12.4 to 3.14.0
+- Upgraded `idna` from 3.6 to 3.7
+- Upgraded `platformdirs` from 4.2.0 to 4.2.2
+- Upgraded `pluggy` from 1.4.0 to 1.5.0
+- Upgraded `pytest` from 7.4.4 to 8.2.1
+- Upgraded `py-cpuinfo` from 8.0.0 to 9.0.0
+- Upgraded `pytest-benchmark` from 3.4.1 to 4.0.0
+- Upgraded `pytest-cov` from 4.1.0 to 5.0.0
+- Upgraded `pytest-timeout` from 2.2.0 to 2.3.1
+- Upgraded `requests` from 2.31.0 to 2.32.2
+- Upgraded `tox` from 3.24.5 to 4.15.0
+- Upgraded `virtualenv` from 20.4.7 to 20.26.2
 
 ## Technical Changes
 

nxdrive/__main__.py

@@ -2,6 +2,7 @@
 In this file we cannot use a relative import here, else Drive will not start when packaged.
 See https://github.com/pyinstaller/pyinstaller/issues/2560
 """
+
 import locale
 import platform
 import signal

nxdrive/behavior.py

@@ -11,6 +11,7 @@
     Allow or disallow server deletions.
 
 """
+
 from types import SimpleNamespace
 
 Behavior = SimpleNamespace(server_deletion=True)

nxdrive/client/local/__init__.py

@@ -1,4 +1,5 @@
 """ API to access local resources for synchronization. """
+
 from .base import FileInfo, get
 
 # Get the local client related to the current OS

nxdrive/client/uploader/__init__.py

@@ -1,6 +1,7 @@
 """
 Uploader used by the Remote client for all upload stuff.
 """
+
 import json
 from abc import abstractmethod
 from logging import getLogger

nxdrive/client/uploader/direct_transfer.py

@@ -1,6 +1,7 @@
 """
 Uploader used by the Direct Transfer feature.
 """
+
 import json
 from logging import getLogger
 from pathlib import Path

nxdrive/client/uploader/sync.py

@@ -1,6 +1,7 @@
 """
 Uploader used by the synchronization engine.
 """
+
 from pathlib import Path
 from typing import Any, Dict, Optional
 

nxdrive/dao/base.py

@@ -1,6 +1,7 @@
 """
 Query formatting in this file is based on http://www.sqlstyle.guide/
 """
+
 import sys
 from contextlib import suppress
 from logging import getLogger

nxdrive/dao/engine.py

@@ -1,6 +1,7 @@
 """
 Query formatting in this file is based on http://www.sqlstyle.guide/
 """
+
 import json
 import os
 import shutil

nxdrive/dao/manager.py

@@ -1,6 +1,7 @@
 """
 Query formatting in this file is based on http://www.sqlstyle.guide/
 """
+
 from logging import getLogger
 from pathlib import Path
 from sqlite3 import Cursor, IntegrityError, Row

nxdrive/engine/engine.py

@@ -819,9 +819,7 @@ def resume_transfer(
         meth = (
             self.dao.get_download
             if nature == "download"
-            else self.dao.get_dt_upload
-            if is_direct_transfer
-            else self.dao.get_upload
+            else self.dao.get_dt_upload if is_direct_transfer else self.dao.get_upload
         )
         func = partial(meth, uid=uid)  # type: ignore
         self._resume_transfers(nature, func, is_direct_transfer=is_direct_transfer)

nxdrive/fatal_error.py

@@ -1,6 +1,7 @@
 """
 Fatal error screen management using either Qt or OS-specific dialogs.
 """
+
 import sys
 from contextlib import suppress
 from pathlib import Path

nxdrive/feature.py

@@ -22,6 +22,7 @@
     Enable or disable the synchronization features.
 
 """
+
 from types import SimpleNamespace
 from typing import List
 

nxdrive/gui/application.py

@@ -1,4 +1,5 @@
 """ Main Qt application handling OS events and system tray UI. """
+
 import os
 import webbrowser
 from contextlib import suppress

nxdrive/osi/darwin/pyNotificationCenter.py

@@ -1,4 +1,5 @@
 """ Python integration macOS notification center. """
+
 from typing import TYPE_CHECKING, Dict
 
 from CoreServices import (

nxdrive/qt/constants.py

@@ -1,6 +1,7 @@
 """
 Put here all PyQt constants used across the project.
 """
+
 from .imports import (
     QAbstractSocket,
     QDialogButtonBox,

nxdrive/qt/imports.py

@@ -1,6 +1,7 @@
 """
 Put here all PyQt imports used across the project.
 """
+
 from PyQt5.QtCore import (
     QT_VERSION_STR,
     QAbstractListModel,

nxdrive/state.py

@@ -11,6 +11,7 @@
     This state is set at the start of the application to know if it has crashed at the previous run.
 
 """
+
 from types import SimpleNamespace
 
 State = SimpleNamespace(about_to_quit=False, crash_details="", has_crashed=False)

nxdrive/utils.py

@@ -5,6 +5,7 @@
 Most of functions are pure enough to be decorated with a LRU cache.
 Each *maxsize* is adjusted depending of the heavy use of the decorated function.
 """
+
 import os
 import os.path
 import re
@@ -68,6 +69,8 @@
     "notBefore": "N/A",
 }
 
+MINIMUM_TLS_VERSION = "TLSv1_2"
+
 log = getLogger(__name__)
 
 
@@ -604,7 +607,10 @@ def retrieve_ssl_certificate(hostname: str, /, *, port: int = 443) -> str:
     import ssl
 
     with ssl.create_connection((hostname, port)) as conn:  # type: ignore
-        with ssl.SSLContext().wrap_socket(conn, server_hostname=hostname) as sock:
+        # Declaring a minimum version to restrict the protocol
+        context = ssl.create_default_context()
+        context.minimum_version = getattr(ssl.TLSVersion, MINIMUM_TLS_VERSION)
+        with context.wrap_socket(conn, server_hostname=hostname) as sock:
             cert_data: bytes = sock.getpeercert(binary_form=True)  # type: ignore
             return ssl.DER_cert_to_PEM_cert(cert_data)
 

tests/benchmarks/test_safe_filename.py

@@ -3,6 +3,7 @@
 If is not the most efficient for small ASCII-only filenames,
 but it is the best when there are non-ASCII characters.
 """
+
 import pytest
 
 FILENAMES = [

tests/cleanup.py

@@ -1,4 +1,5 @@
 """Cleanup old test users and workspaces."""
+
 import env
 from nuxeo.client import Nuxeo
 

tests/integration/windows/test_cli.py

@@ -108,7 +108,9 @@ def test_argument_log_filename(exe, tmp, file):
     assert log.is_file()
 
 
-@pytest.mark.parametrize("folder", ["azerty", "$alice", "léa", "mi Kaël", "こん ツリ ^^"])
+@pytest.mark.parametrize(
+    "folder", ["azerty", "$alice", "léa", "mi Kaël", "こん ツリ ^^"]
+)
 def test_argument_nxdrive_home(exe, tmp, folder):
     path = tmp()
     path.mkdir(parents=True, exist_ok=True)

tests/markers.py

@@ -1,4 +1,5 @@
 """Collection of pytest markers to ease test filtering."""
+
 import os
 
 import pytest

tests/old_functional/common.py

@@ -1,4 +1,5 @@
 """ Common test utilities. """
+
 import os
 import sys
 import tempfile

tests/old_functional/test_behavior.py

@@ -1,6 +1,7 @@
 """
 Test application Behavior.
 """
+
 from nxdrive.behavior import Behavior
 
 from .. import ensure_no_exception

tests/old_functional/test_direct_transfer.py

@@ -1,6 +1,7 @@
 """
 Test the Direct Transfer feature in different scenarii.
 """
+
 import logging
 import re
 from pathlib import Path
@@ -725,7 +726,7 @@ def checks(self, created):
         assert not self.engine_1.dao.get_errors(limit=0)
 
     def direct_transfer(self, folder, duplicate_behavior: str = "create") -> None:
-        paths = {path: size for path, size in get_tree_list(folder)}
+        paths = dict(get_tree_list(folder))
         self.engine_1.direct_transfer(
             paths,
             self.ws.path,

tests/old_functional/test_local_changes_when_offline.py

@@ -2,6 +2,7 @@
 Test if changes made to local file system when Drive is offline sync's back
 later when Drive becomes online.
 """
+
 import pytest
 
 from nxdrive.constants import WINDOWS

tests/old_functional/test_local_client.py

@@ -4,6 +4,7 @@
 
 See NXDRIVE-742.
 """
+
 import hashlib
 import os
 from pathlib import Path

tests/old_functional/test_synchronization_dedup.py

@@ -1,6 +1,7 @@
 """
 Test behaviors when the server allows duplicates and not the client.
 """
+
 from pathlib import Path
 
 import pytest

tests/old_functional/test_transfer.py

@@ -1,6 +1,7 @@
 """
 Test pause/resume transfers in different scenarii.
 """
+
 import re
 from unittest.mock import patch
 

tests/unit/test_autolock.py

@@ -1,6 +1,7 @@
 """
 Test the Auto-Lock feature used heavily by Direct Edit.
 """
+
 from pathlib import Path
 from typing import List, Tuple
 from unittest.mock import Mock, patch

tests/unit/test_pytest_random.py

@@ -2,6 +2,7 @@
 Tests for pytests_random: a pytest plugin to mitigate random failures.
 Adapted from github.com/pytest-dev/pytest-rerunfailures
 """
+
 import pytest
 
 pytest_plugins = "pytester"

tools/cleanup_application_tree.py

@@ -2,6 +2,7 @@
 Remove files from the package that are not needed and too big.
 This script can be launched after PyInstaller and before installers creation.
 """
+
 import os
 import shutil
 import sys

tools/deps/requirements-bench.txt

@@ -2,8 +2,9 @@
 # Modules needed by benchmarks.
 # This file is independent to not pollute other test environments.
 #
-py-cpuinfo==8.0.0 \
-    --hash=sha256:5f269be0e08e33fd959de96b34cd4aeeeacac014dd8305f70eb28d06de2345c5
-pytest-benchmark==3.4.1 \
-    --hash=sha256:36d2b08c4882f6f997fd3126a3d6dfd70f3249cde178ed8bbc0b73db7c20f809 \
-    --hash=sha256:40e263f912de5a81d891619032983557d62a3d85843f9a9f30b98baea0cd7b47
+pytest-benchmark==4.0.0 \
+    --hash=sha256:fb0785b83efe599a6a956361c0691ae1dbb5318018561af10f3e915caa0048d1 \
+    --hash=sha256:fdb7db64e31c8b277dff9850d2a2556d8b60bcb0ea6524e36e28ffd7c87f71d6
+py-cpuinfo==9.0.0 \
+    --hash=sha256:3cdbbf3fac90dc6f118bfd64384f309edeadd902d7c8fb17f02ffa1fc3f49690 \
+    --hash=sha256:859625bc251f64e21f077d099d4162689c762b5d6a4c3c97553d56241c9674d5

tools/deps/requirements-pip.txt

@@ -10,7 +10,7 @@ click==8.1.7 \
     --hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
     --hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
     # via pip-tools
-colorama==0.4.6 ; sys_platform == "win32" \
+colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
     # via click