Fix Safety warnings about Tornado and Poetry (#1231)

* chore: bump tornado in lockfile to fix safety warning * chore: ignore PVE-2024-73456 against poetry < 1.8.4
cjolowicz · Jan 19, 2025 · 3e83401 · 3e83401
1 parent 53062d9
commit 3e83401
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 16 deletions.
diff --git a/noxfile.py b/noxfile.py
@@ -141,11 +141,20 @@ def safety(session: Session) -> None:
         # ADVISORY: In Jinja2, the from_string function is prone to Server
         # Side Template Injection (SSTI) where it takes the "source" parameter as a
         # template object, renders it, and then returns it. The attacker can exploit
-        # it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple
-        # third parties believe that this vulnerability isn't valid because users
-        # shouldn't use untrusted templates without sandboxing.
+        # it with {{INJECTION COMMANDS}} in a URI.
+        #
+        # NOTE: The maintainer and multiple third parties believe that this
+        # vulnerability isn't valid because users shouldn't use untrusted templates
+        # without sandboxing.
+        #
         # CVE-2019-8341
         "70612",
+        # ADVISORY: Poetry requires virtualenv version 20.26.6 or higher to protect
+        # against potential command injection attacks when running poetry shell in
+        # untrusted projects.
+        #
+        # PVE-2024-73456
+        "74403",
     ]
 
     session.run(

diff --git a/poetry.lock b/poetry.lock