ClearML/clearml-server
1
0
Fork 0
mirror of https://github.com/clearml/clearml-server synced 2025-05-07 21:44:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bump PyJWT version due to "Key confusion through non-blocklisted public key formats" vulnerability

Browse Source
This commit is contained in:
allegroai 2022-05-25 16:50:19 +03:00
parent 08a7bc7c9f
commit 9b108740da
4 changed files with 27 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apiserver/bll/auth/__init__.py
View File

@ -64,7 +64,7 @@ class AuthBLL:
feature_set="basic", feature_set="basic",
) )
return GetTokenResponse(token=token.decode("ascii")) return GetTokenResponse(token=token)
@staticmethod @staticmethod
def create_user(request: CreateUserRequest, call: APICall = None) -> str: def create_user(request: CreateUserRequest, call: APICall = None) -> str:

3
apiserver/bll/event/events_iterator.py
View File

@ -188,7 +188,7 @@ class Scroll(jsonmodels.models.Base):
key=config.get( key=config.get(
"services.events.events_retrieval.scroll_id_key", "1234567890" "services.events.events_retrieval.scroll_id_key", "1234567890"
), ),
).decode() )
@classmethod @classmethod
def from_scroll_id(cls, scroll_id: str): def from_scroll_id(cls, scroll_id: str):
@ -199,6 +199,7 @@ class Scroll(jsonmodels.models.Base):
key=config.get( key=config.get(
"services.events.events_retrieval.scroll_id_key", "1234567890" "services.events.events_retrieval.scroll_id_key", "1234567890"
), ),
algorithms=["HS256"],
) )
) )
except jwt.PyJWTError: except jwt.PyJWTError:

4
apiserver/requirements.txt
View File

@ -21,7 +21,7 @@ nested_dict>=1.61
packaging==20.3 packaging==20.3
psutil>=5.6.5 psutil>=5.6.5
pyhocon>=0.3.35 pyhocon>=0.3.35
pyjwt<2.0.0 pyjwt>=2.4.0
pymongo[srv]==3.12.0 pymongo[srv]==3.12.0
python-rapidjson>=0.6.3 python-rapidjson>=0.6.3
redis==3.5.3 redis==3.5.3
@ -31,4 +31,4 @@ requests>=2.13.0
semantic_version>=2.8.3,<3 semantic_version>=2.8.3,<3
six six
tqdm tqdm
validators>=0.12.4 validators>=0.12.4

35
apiserver/service_repo/auth/payload/token.py
View File

@ -9,22 +9,25 @@ from apiserver.database.model.auth import Role
from .auth_type import AuthType from .auth_type import AuthType
from .payload import Payload from .payload import Payload
token_secret = config.get('secure.auth.token_secret') token_secret = config.get("secure.auth.token_secret")
log = config.logger(__file__) log = config.logger(__file__)
class Token(Payload): class Token(Payload):
default_expiration_sec = config.get('apiserver.auth.default_expiration_sec') default_expiration_sec = config.get("apiserver.auth.default_expiration_sec")
def __init__(self, exp=None, iat=None, nbf=None, env=None, identity=None, entities=None, **_): def __init__(
self, exp=None, iat=None, nbf=None, env=None, identity=None, entities=None, **_
):
super(Token, self).__init__( super(Token, self).__init__(
AuthType.bearer_token, identity=identity, entities=entities) AuthType.bearer_token, identity=identity, entities=entities
)
self.exp = exp self.exp = exp
self.iat = iat self.iat = iat
self.nbf = nbf self.nbf = nbf
self._env = env or config.get('env', '<unknown>') self._env = env or config.get("env", "<unknown>")
@property @property
def env(self): def env(self):
@ -65,7 +68,12 @@ class Token(Payload):
@classmethod @classmethod
def decode(cls, encoded_token, verify=True): def decode(cls, encoded_token, verify=True):
return jwt.decode(encoded_token, token_secret, verify=verify) options = (
{"verify_signature": False, "verify_exp": True} if not verify else None
)
return jwt.decode(
encoded_token, token_secret, algorithms=["HS256"], options=options
)
@classmethod @classmethod
def from_encoded_token(cls, encoded_token, verify=True): def from_encoded_token(cls, encoded_token, verify=True):
@ -74,23 +82,24 @@ class Token(Payload):
token = Token.from_dict(decoded) token = Token.from_dict(decoded)
assert isinstance(token, Token) assert isinstance(token, Token)
if not token.identity: if not token.identity:
raise errors.unauthorized.InvalidToken('token missing identity') raise errors.unauthorized.InvalidToken("token missing identity")
return token return token
except Exception as e: except Exception as e:
raise errors.unauthorized.InvalidToken('failed parsing token, %s' % e.args[0]) raise errors.unauthorized.InvalidToken(
"failed parsing token, %s" % e.args[0]
)
@classmethod @classmethod
def create_encoded_token(cls, identity, expiration_sec=None, entities=None, **extra_payload): def create_encoded_token(
cls, identity, expiration_sec=None, entities=None, **extra_payload
):
if identity.role not in (Role.system,): if identity.role not in (Role.system,):
# limit expiration time for all roles but an internal service # limit expiration time for all roles but an internal service
expiration_sec = expiration_sec or cls.default_expiration_sec expiration_sec = expiration_sec or cls.default_expiration_sec
now = datetime.utcnow() now = datetime.utcnow()
token = cls( token = cls(identity=identity, entities=entities, iat=now)
identity=identity,
entities=entities,
iat=now)
if expiration_sec: if expiration_sec:
# add 'expiration' claim # add 'expiration' claim