diff --git a/.circleci/config.yml b/.circleci/config.yml index f368c7f0ec..83caf83010 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -219,7 +219,7 @@ jobs: deploy: docker: # The primary container is an instance of the first list image listed. Your build commands run in this container. - - image: circleci/ruby:2.6 + - image: circleci/ruby:2.7 working_directory: /tmp/deploy environment: - DISTROS: "bionic focal el7 el8" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1330d483f7..c4fae12a59 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -29,13 +29,17 @@ Fixed * Update cryptography 3.4.7 -> 39.0.1, pyOpenSSL 21.0.0 -> 23.1.0, paramiko 2.10.5 -> 2.11.0 (security). #6055 -* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. #6061 +* Bumped `eventlet` to `0.33.3` and `gunicorn` to `21.2.0` to fix `RecursionError` bug in setting `SSLContext` `minimum_version` property. (security) #6061 Contributed by @jk464 +* Update orquesta to v1.6.0 to fix outdated dependencies (security). #6050 + +* Fix KV value lookup in actions when RBAC is enabled #5934 + +* Update version 3.1.15 of ``gitpython`` to 3.1.18 for py3.6 and to 3.1.37 for py3.8 (security). #6063 + Added ~~~~~ -* Added Schwarz Digits to ADOPTERS.md by Ronnie Hoffmann (@ZoeLeah Schwarz IT KG) - * Move `git clone` to `user_home/.st2packs` #5845 * Error on `st2ctl status` when running in Kubernetes. #5851 diff --git a/contrib/runners/orquesta_runner/in-requirements.txt b/contrib/runners/orquesta_runner/in-requirements.txt index 3302e48fad..8bf195dae4 100644 --- a/contrib/runners/orquesta_runner/in-requirements.txt +++ b/contrib/runners/orquesta_runner/in-requirements.txt @@ -1 +1 @@ -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 diff --git a/contrib/runners/orquesta_runner/requirements.txt b/contrib/runners/orquesta_runner/requirements.txt index be64688128..cf26d58430 100644 --- a/contrib/runners/orquesta_runner/requirements.txt +++ b/contrib/runners/orquesta_runner/requirements.txt @@ -5,4 +5,4 @@ # If you want to update depdencies for a single component, modify the # in-requirements.txt for that component and then run 'make requirements' to # update the component requirements.txt -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 diff --git a/fixed-requirements.txt b/fixed-requirements.txt index 00ed7297b9..915e16b599 100644 --- a/fixed-requirements.txt +++ b/fixed-requirements.txt @@ -12,7 +12,9 @@ cryptography==39.0.1 # depend on rely eventlet==0.33.3 flex==6.14.1 -gitpython==3.1.15 +# Note: installs gitpython==3.1.37 (security fixed) under py3.8 and gitpython==3.1.18 (latest available, vulnerable) under py3.6 +# TODO: Pin to 3.1.37 or higher after dropping python3.6 support +gitpython<=3.1.37 # Needed by gitpython, old versions used to bundle it gitdb==4.0.2 # Note: greenlet is used by eventlet @@ -26,8 +28,8 @@ lockfile==0.12.2 # >=0.23 was from jinja2 MarkupSafe<2.1.0,>=0.23 mongoengine==0.23.0 -# networkx v2.6 does not support Python3.6. Update networkx to match orquesta -networkx>=2.5.1,<2.6 +# required by orquesta (networkx<2.6 for py3.6, networkx<3 for py3.8) +networkx<3 # networkx requires decorator>=4.3,<5 which should resolve to version 4.4.2 # but the wheel on pypi does not say it supports python3.8, so pip gets # confused. For now, pin decorator to work around pip's confusion. diff --git a/requirements-pants.txt b/requirements-pants.txt index 3e07857de0..ef04eaaf91 100644 --- a/requirements-pants.txt +++ b/requirements-pants.txt @@ -31,7 +31,7 @@ mongoengine # networkx version is constrained in orquesta. networkx orjson -orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta @ git+https://github.com/StackStorm/orquesta.git@v1.6.0 # NOTE: Recent version substantially affect the performance and add big import time overhead # See https://github.com/StackStorm/st2/issues/4160#issuecomment-394386433 for details oslo.config>=1.12.1,<1.13 diff --git a/requirements.txt b/requirements.txt index 841cf38cb3..5183347a27 100644 --- a/requirements.txt +++ b/requirements.txt @@ -20,7 +20,7 @@ dnspython>=1.16.0,<2.0.0 eventlet==0.33.3 flex==6.14.1 gitdb==4.0.2 -gitpython==3.1.15 +gitpython<=3.1.37 greenlet==1.0.0 gunicorn==21.2.0 importlib-metadata==3.10.1 @@ -32,12 +32,12 @@ lockfile==0.12.2 logshipper@ git+https://github.com/StackStorm/logshipper.git@stackstorm_patched ; platform_system=="Linux" mock==4.0.3 mongoengine==0.23.0 -networkx>=2.5.1,<2.6 +networkx<3 nose nose-parallel==0.4.0 nose-timer==1.0.1 orjson==3.5.2 -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 oslo.utils<5.0,>=4.0.0 paramiko==2.11.0 diff --git a/st2actions/requirements.txt b/st2actions/requirements.txt index e15c7c967e..bdfe4e8b1c 100644 --- a/st2actions/requirements.txt +++ b/st2actions/requirements.txt @@ -9,7 +9,7 @@ MarkupSafe<2.1.0,>=0.23 apscheduler==3.7.0 chardet<3.1.0 eventlet==0.33.3 -gitpython==3.1.15 +gitpython<=3.1.37 jinja2==2.11.3 kombu==5.0.2 lockfile==0.12.2 diff --git a/st2common/in-requirements.txt b/st2common/in-requirements.txt index 9580fa2fbe..1daa52fb8e 100644 --- a/st2common/in-requirements.txt +++ b/st2common/in-requirements.txt @@ -14,7 +14,7 @@ mongoengine networkx # used by networkx decorator -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 st2-rbac-backend@ git+https://github.com/StackStorm/st2-rbac-backend.git@master oslo.config paramiko diff --git a/st2common/requirements.txt b/st2common/requirements.txt index bd1a1827af..575b251177 100644 --- a/st2common/requirements.txt +++ b/st2common/requirements.txt @@ -17,7 +17,7 @@ dnspython>=1.16.0,<2.0.0 eventlet==0.33.3 flex==6.14.1 gitdb==4.0.2 -gitpython==3.1.15 +gitpython<=3.1.37 greenlet==1.0.0 jinja2==2.11.3 jsonpath-rw==1.4.0 @@ -25,9 +25,9 @@ jsonschema==2.6.0 kombu==5.0.2 lockfile==0.12.2 mongoengine==0.23.0 -networkx>=2.5.1,<2.6 +networkx<3 orjson==3.5.2 -orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.5.0 +orquesta@ git+https://github.com/StackStorm/orquesta.git@v1.6.0 oslo.config>=1.12.1,<1.13 paramiko==2.11.0 pyOpenSSL==23.1.0 diff --git a/st2common/st2common/services/keyvalues.py b/st2common/st2common/services/keyvalues.py index 824f4bf048..9b41b9e29d 100644 --- a/st2common/st2common/services/keyvalues.py +++ b/st2common/st2common/services/keyvalues.py @@ -191,17 +191,17 @@ def _get_kv(self, key): if kvp: LOG.debug("Got value %s from datastore.", kvp.value) - # Check that user has permission to the key value pair. - # If RBAC is enabled, this check will verify if user has system role with all access. - # If RBAC is enabled, this check guards against a user accessing another user's kvp. - # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp. - # The check is sufficient to allow decryption of the system kvp. - rbac_utils = get_rbac_backend().get_utils_class() - rbac_utils.assert_user_has_resource_db_permission( - user_db=UserDB(name=self._user), - resource_db=kvp, - permission_type=PermissionType.KEY_VALUE_PAIR_VIEW, - ) + # Check that user has permission to the key value pair. + # If RBAC is enabled, this check will verify if user has system role with all access. + # If RBAC is enabled, this check guards against a user accessing another user's kvp. + # If RBAC is enabled, user needs to be explicitly granted permission to view a system kvp. + # The check is sufficient to allow decryption of the system kvp. + rbac_utils = get_rbac_backend().get_utils_class() + rbac_utils.assert_user_has_resource_db_permission( + user_db=UserDB(name=self._user), + resource_db=kvp, + permission_type=PermissionType.KEY_VALUE_PAIR_VIEW, + ) return kvp.value if kvp else ""