Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added 'allow_redirects' parameter in perform_request function for RequestsHttpConnection #401

Merged
merged 1 commit into from
Jun 13, 2023
Merged

Added 'allow_redirects' parameter in perform_request function for RequestsHttpConnection #401

merged 1 commit into from
Jun 13, 2023

Conversation

saimedhi
Copy link
Collaborator

Description

Fixed CVE-2023-32681 linked to Requests

Issues Resolved

fixes GHSA-j8r2-6x86-q33q

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@codecov
Copy link

codecov bot commented May 31, 2023
edited
Loading

Codecov Report

Merging #401 (86d21a2) into main (dafc966) will not change coverage.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main     #401   +/-   ##
=======================================
  Coverage   72.12%   72.12%           
=======================================
  Files          77       77           
  Lines        7190     7190           
=======================================
  Hits         5186     5186           
  Misses       2004     2004
Impacted Files Coverage Δ
opensearchpy/connection/http_requests.py 86.36% <100.00%> (ø)

@harshavamsi
Copy link
Collaborator

Thanks @saimedhi for this change. Can you write a simple test on the prepare_request method mocking it and trying to do a redirect and failing(since allow_redirects) is false. This gives us confidence in this change working.

@saimedhi saimedhi force-pushed the fix/requests-CVE-2023-32681 branch from bcc8dfb to c318a3e Compare June 2, 2023 00:29
@saimedhi saimedhi marked this pull request as draft June 2, 2023 00:58
@saimedhi
Copy link
Collaborator Author

saimedhi commented Jun 2, 2023
edited
Loading

PR ready for review

@saimedhi saimedhi force-pushed the fix/requests-CVE-2023-32681 branch from 230ec78 to edf94e2 Compare June 2, 2023 20:17
@saimedhi saimedhi marked this pull request as ready for review June 2, 2023 20:24
@dblock
Copy link
Member

dblock commented Jun 6, 2023
edited
Loading

Thanks! Looks like this adds an allow_redirects option, aka it's a new feature?

It also changes the existing behavior, which would be a breaking change for users, isn't it? We should discuss making it. Is that CVE critical enough to warrant a backwards incompatible change?

  1. Assuming the CVE is not critical/high, I would make this PR without breaking backwards compatibility, aka keep allow_redirects=True.
  2. Instead of calling out the CVE in CHANGELOG let's call out the new feature.
  3. Document the new feature in user guide.

@saimedhi
Copy link
Collaborator Author

saimedhi commented Jun 6, 2023

Hello @dblock, Are you recommending that we need to capture 3xx response codes and ensure a new request is made to the redirect destination. This prevents breaking change for users currently relying on redirect behaviors. I agree with your suggestion and will implement it.

@dblock
Copy link
Member

dblock commented Jun 7, 2023
edited
Loading

Maybe, but I also think that you can start by turning this PR into just adding allow_redirects and defaulting it to True. Users that care about this CVE could set it to False understanding the consequences. We would merge that because it's just a new option, doesn't break anything and helps users fix their problem themselves.

Then, as a separate PR, we can discuss the vulnerability and how we can either switch that option to False by default or implement something that can keep it at True and fix the vulnerability.

@wbeckler
Copy link
Contributor

wbeckler commented Jun 8, 2023
edited
Loading

If we merge it, it's important that we don't leave the impression that we "fixed" the CVE. That requires a default behavior of no auto-redirect. I'd be okay with 2 merges or 1 big one, but we need to get to the point where we default to the safe code path either way. So we'll need to keep moving toward the catching of the 3xx and the redirect from there.

@saimedhi saimedhi force-pushed the fix/requests-CVE-2023-32681 branch from edf94e2 to 255e052 Compare June 13, 2023 18:22
@saimedhi saimedhi changed the title Fixed CVE-2023-32681 linked to Requests Added 'allow_redirects' parameter in perform_request function for RequestsHttpConnection Jun 13, 2023
@saimedhi
Added 'allow_redirects' parameter in perform_request function for Req…
86d21a2 
…uestsHttpConnection

Signed-off-by: saimedhi <saimedhi@amazon.com>
@saimedhi saimedhi force-pushed the fix/requests-CVE-2023-32681 branch from 255e052 to 86d21a2 Compare June 13, 2023 18:29
@dblock dblock merged commit f1b5706 into opensearch-project:main Jun 13, 2023
@saimedhi saimedhi mentioned this pull request Jun 20, 2023
Closed
@saimedhi saimedhi deleted the fix/requests-CVE-2023-32681 branch October 4, 2023 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dblock dblock dblock approved these changes

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@harshavamsi harshavamsi Awaiting requested review from harshavamsi harshavamsi is a code owner

@axeoman axeoman Awaiting requested review from axeoman axeoman is a code owner

@deztructor deztructor Awaiting requested review from deztructor

@Shephalimittal Shephalimittal Awaiting requested review from Shephalimittal Shephalimittal is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@saimedhi @harshavamsi @dblock @wbeckler