[Pkg-freeipa-devel] [Git][freeipa-team/python-jwcrypto][upstream] 6 commits: Fix doc generation
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Thu May 2 07:17:52 BST 2024
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / python-jwcrypto
Commits:
5dc2ea2a by Simo Sorce at 2024-02-22T12:54:47-05:00
Fix doc generation
Missing requirements caused the build to fail to include autogenerated
doc text.
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
7f51d28e by Simo Sorce at 2024-03-05T12:47:26-05:00
Update publish action to upload also binary dist
Fixes #326
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
491f4485 by Simo Sorce at 2024-03-05T12:47:26-05:00
Version 1.5.5
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
240cc60f by Simo Sorce at 2024-03-05T14:50:22-05:00
Modernize pypi action
Change format to yaml
Run it on pull requests to check all steps work
Publish conditionally only on tag ref pushes
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
90477a3b by Simo Sorce at 2024-03-06T14:44:08-05:00
Address potential DoS with high compression ratio
Fixes CVE-2024-28102
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
ecde4efd by Simo Sorce at 2024-03-06T14:44:37-05:00
Version 1.5.6
Signed-off-by: Simo Sorce <simo at redhat.com>
- - - - -
6 changed files:
- .github/workflows/publish-to-pypi.yml
- .readthedocs.yaml
- + docs/requirements.txt
- jwcrypto/VERSION
- jwcrypto/jwe.py
- jwcrypto/tests.py
Changes:
=====================================
.github/workflows/publish-to-pypi.yml
=====================================
@@ -1,34 +1,37 @@
-{
- "name": "Release to PyPI",
- "on": {
- "push": {
- "tags": [ "v*.*" ]
- },
- },
- "jobs": {
- "pypi": {
- "name": "Publish Release",
- "runs-on": "ubuntu-latest",
- "steps": [
- { "uses": "actions/checkout at v2" },
- {
- "uses": "actions/setup-python at v2",
- "with": {
- "python-version": "3.10"
- },
- },
- { "run": "sudo apt-get update" },
- { "run": "sudo apt-get install cargo" },
- { "run": "pip --version" },
- { "run": "python setup.py sdist" },
- {
- "uses": "pypa/gh-action-pypi-publish at release/v1",
- "with": {
- "user": "__token__",
- "password": "${{secrets.PYPI_API_TOKEN}}",
- },
- },
- ],
- },
- },
-}
+---
+name: Release to PyPI
+
+on:
+ push:
+ tags: [ "v*.*" ]
+ pull_request:
+ branches: ["main"]
+
+jobs:
+ pypi:
+ name: Publish Release
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ steps:
+ - name: Checkout Repository
+ uses: actions/checkout at v4
+ - name: Setup
+ uses: actions/setup-python at v5
+ with:
+ python-version: '3.11'
+ - name: Make distribution
+ run: |
+ sudo apt-get update
+ sudo apt-get install cargo
+ pip --version
+ pip install wheel
+ python setup.py sdist
+ python setup.py bdist_wheel
+ - name: Publish on pypi (only for tag pushes)
+ if: startsWith(github.ref, 'refs/tags')
+ uses: pypa/gh-action-pypi-publish at release/v1
+ with:
+ user: __token__
+ password: ${{secrets.PYPI_API_TOKEN}}
+ skip-existing: true
=====================================
.readthedocs.yaml
=====================================
@@ -30,6 +30,6 @@ formats:
# Optional but recommended, declare the Python requirements required
# to build your documentation
# See https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
-# python:
-# install:
-# - requirements: docs/requirements.txt
+python:
+ install:
+ - requirements: docs/requirements.txt
=====================================
docs/requirements.txt
=====================================
@@ -0,0 +1,2 @@
+cryptography >= 3.4
+typing_extensions >= 4.5.0
=====================================
jwcrypto/VERSION
=====================================
@@ -1 +1 @@
-1.5.4
+1.5.6
=====================================
jwcrypto/jwe.py
=====================================
@@ -10,6 +10,9 @@ from jwcrypto.common import json_decode, json_encode
from jwcrypto.jwa import JWA
from jwcrypto.jwk import JWKSet
+# Limit the amount of data we are willing to decompress by default.
+default_max_compressed_size = 256 * 1024
+
# RFC 7516 - 4.1
# name: (description, supported?)
@@ -422,6 +425,10 @@ class JWE:
compress = jh.get('zip', None)
if compress == 'DEF':
+ if len(data) > default_max_compressed_size:
+ raise InvalidJWEData(
+ 'Compressed data exceeds maximum allowed'
+ 'size' + f' ({default_max_compressed_size})')
self.plaintext = zlib.decompress(data, -zlib.MAX_WBITS)
elif compress is None:
self.plaintext = data
=====================================
jwcrypto/tests.py
=====================================
@@ -2111,6 +2111,32 @@ class ConformanceTests(unittest.TestCase):
jwa.default_max_pbkdf2_iterations += 2
p2cenc.add_recipient(key)
+ def test_jwe_decompression_max(self):
+ key = jwk.JWK(kty='oct', k=base64url_encode(b'A' * (128 // 8)))
+ payload = '{"u": "' + "u" * 400000000 + '", "uu":"' \
+ + "u" * 400000000 + '"}'
+ protected_header = {
+ "alg": "A128KW",
+ "enc": "A128GCM",
+ "typ": "JWE",
+ "zip": "DEF",
+ }
+ enc = jwe.JWE(payload.encode('utf-8'),
+ recipient=key,
+ protected=protected_header).serialize(compact=True)
+ with self.assertRaises(jwe.InvalidJWEData):
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+
+ defmax = jwe.default_max_compressed_size
+ jwe.default_max_compressed_size = 1000000000
+ # ensure we can eraise the limit and decrypt
+ check = jwe.JWE()
+ check.deserialize(enc)
+ check.decrypt(key)
+ jwe.default_max_compressed_size = defmax
+
class JWATests(unittest.TestCase):
def test_jwa_create(self):
View it on GitLab: https://salsa.debian.org/freeipa-team/python-jwcrypto/-/compare/b9432ef46fc8ee90c813469440ea86b049916e52...ecde4efdc7c9364b53bd1b4232e97557d821abdf
--
View it on GitLab: https://salsa.debian.org/freeipa-team/python-jwcrypto/-/compare/b9432ef46fc8ee90c813469440ea86b049916e52...ecde4efdc7c9364b53bd1b4232e97557d821abdf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240502/ff5ba651/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list