Merge pull request #26 from eea/devel

[refs #109798] Fix security issues
eea · Sep 27, 2019 · 80053ee · 80053ee
2 parents 84f5221 + e6de2f4
commit 80053ee
Show file tree

Hide file tree

Showing 15 changed files with 49 additions and 41 deletions.
diff --git a/cache_registry/admin.py b/cache_registry/admin.py
@@ -1,5 +1,5 @@
-from flask.ext.admin import Admin
-from flask.ext.admin.contrib.sqla import ModelView
+from flask_admin import Admin
+from flask_admin.contrib.sqla import ModelView
 
 from cache_registry import models
 

diff --git a/cache_registry/api/__init__.py b/cache_registry/api/__init__.py
@@ -1,6 +1,6 @@
 # coding=utf-8
 from flask import Blueprint
-from flask.ext.script import Manager
+from flask_script import Manager
 
 from .candidate import *
 from .commands import *

diff --git a/cache_registry/app.py b/cache_registry/app.py
@@ -2,7 +2,7 @@
 
 import sys
 import flask
-from flask.ext.script import Manager
+from flask_script import Manager
 from cache_registry.models import db, db_manager
 from cache_registry.api import api, api_manager
 from cache_registry.misc import misc

diff --git a/cache_registry/mails.py b/cache_registry/mails.py
@@ -1,6 +1,6 @@
 import smtplib
 
-from flask.ext.mail import Mail, Message
+from flask_mail import Mail, Message
 from flask import current_app as app, render_template
 
 from cache_registry.models import (

diff --git a/cache_registry/manager.py b/cache_registry/manager.py
@@ -1,7 +1,7 @@
 import collections
 import pprint
 
-from flask.ext.script import Manager
+from flask_script import Manager
 
 from cache_registry.models import db, User, Undertaking
 from cache_registry.sync.fgases import eea_double_check_fgases

diff --git a/cache_registry/match.py b/cache_registry/match.py
@@ -4,7 +4,7 @@
 from fuzzywuzzy import fuzz
 
 from sqlalchemy import or_
-from flask.ext.script import Manager
+from flask_script import Manager
 from flask import current_app
 
 from cache_registry import models

diff --git a/cache_registry/misc/export.py b/cache_registry/misc/export.py
@@ -3,8 +3,9 @@
 from flask import Response
 from flask.views import MethodView
 
+from io import BytesIO
 from openpyxl import Workbook
-from openpyxl.writer.excel import save_virtual_workbook
+from tempfile import NamedTemporaryFile
 
 from cache_registry.api.undertaking import UndertakingListView
 from cache_registry.match import get_all_non_candidates
@@ -67,10 +68,12 @@ def get(self, domain, **kwargs):
             qs['represent_history'] = ', '.join([repr['name'] for repr in qs['represent_history']])
             values = [self.parse_column(qs, column) for column in self.COLUMNS]
             ws.append(values)
-        response = Response(save_virtual_workbook(wb), mimetype=MIME_TYPE)
-        response.headers.add('Content-Disposition',
-                             'attachment; filename=companies_list.xlsx')
-        return response
+        with NamedTemporaryFile() as tmp:
+            wb.save(tmp.name)
+            response = Response(BytesIO(tmp.read()), mimetype=MIME_TYPE)
+            response.headers.add('Content-Disposition',
+                                 'attachment; filename=companies_list.xlsx')
+            return response
 
 
 class UserListExport(MethodView):
@@ -96,10 +99,13 @@ def get(self, **kwargs):
                                   company.address.country.name, cp.first_name,
                                   cp.last_name, cp.email]
                         ws.append(values)
-        response = Response(save_virtual_workbook(wb), mimetype=MIME_TYPE)
-        response.headers.add('Content-Disposition',
-                             'attachment; filename=users_list.xlsx')
-        return response
+
+        with NamedTemporaryFile() as tmp:
+            wb.save(tmp.name)
+            response = Response(BytesIO(tmp.read()), mimetype=MIME_TYPE)
+            response.headers.add('Content-Disposition',
+                                 'attachment; filename=users_list.xlsx')
+            return response
 
 
 class UserListExportJSON(MethodView):

diff --git a/cache_registry/models.py b/cache_registry/models.py
@@ -10,9 +10,9 @@
 )
 from sqlalchemy.orm import relationship
 
-from flask.ext.sqlalchemy import BaseQuery
-from flask.ext.sqlalchemy import SQLAlchemy
-from flask.ext.script import Manager
+from flask_sqlalchemy import BaseQuery
+from flask_sqlalchemy import SQLAlchemy
+from flask_script import Manager
 from instance.settings import FGAS, ODS
 
 db = SQLAlchemy()

diff --git a/cache_registry/sync/__init__.py b/cache_registry/sync/__init__.py
@@ -1,4 +1,4 @@
-from flask.ext.script import Manager
+from flask_script import Manager
 
 sync_manager = Manager()
 

diff --git a/cache_registry/sync/undertakings.py b/cache_registry/sync/undertakings.py
@@ -107,6 +107,7 @@ def update_undertaking(data, check_passed=True):
         undertaking.address = addr
     else:
         parsers.update_obj(undertaking.address, address)
+    db.session.add(undertaking)
     UndertakingBusinessProfile.query.filter_by(undertaking=undertaking).delete()
     for business_profile in business_profiles['highLevelUses']:
         business_profile_object = BusinessProfile.query.filter_by(

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,7 +1,7 @@
 -r requirements.txt
 
 Flask-WebTest==0.0.9
-pytest-cov==2.5.1
-coveralls==0.5
-factory-boy==2.4.1
+pytest-cov==2.7.1
+coveralls==1.8.2
+factory-boy==2.12.0
 ipdb
diff --git a/requirements-prod.txt b/requirements-prod.txt
@@ -1,4 +1,3 @@
 -r requirements.txt
-meld3==1.0.0
-raven==5.1.1
-gunicorn==19.6
+meld3==2.0.0
+gunicorn==19.9.0
diff --git a/requirements.txt b/requirements.txt
@@ -1,18 +1,18 @@
-blinker==1.3
-Flask==0.12.4
+blinker==1.4
+Flask==1.1.1
 Flask-Admin==1.5.3
 Flask-Mail==0.9.1
-Flask-SQLAlchemy==2.3.1
+Flask-SQLAlchemy==2.4.1
 Flask-Script==2.0.5
-alembic==0.9.5
-fuzzywuzzy==0.4.0
-itsdangerous==0.24
+alembic==1.2.1
+fuzzywuzzy==0.17.0
+itsdangerous==1.1.0
 Jinja2==2.10.1
-MarkupSafe==0.23
+MarkupSafe==1.1.1
 psycopg2-binary==2.8.3
-openpyxl==2.1.3
-python-Levenshtein==0.11.2
+openpyxl==3.0.0
+python-Levenshtein==0.12.0
 requests==2.22.0
-raven==5.1.1
-SQLAlchemy==1.1.15
-Werkzeug==0.15.6
+raven==6.10.0
+SQLAlchemy==1.3.8
+Werkzeug==0.16.0
diff --git a/testsuite/conftest.py b/testsuite/conftest.py
@@ -20,6 +20,8 @@
     'MANUAL_VERIFY_ALL_COMPANIES': [FGAS, ODS],
     'MAIL_SERVER': 'localhost',
     'MAIL_PORT': 25,
+    'SQLALCHEMY_DATABASE_URI': "sqlite:///:memory:",
+    'SQLALCHEMY_TRACK_MODIFICATIONS': False,
     'TESTING': True,
 }
 

diff --git a/testsuite/test_misc.py b/testsuite/test_misc.py
@@ -24,7 +24,7 @@ def test_export_companies(client):
         f.close()
     wb = load_workbook(fn)
     assert len(wb.worksheets) == 1
-    rows = wb.worksheets[0].rows
+    rows = [row for row in wb.worksheets[0].rows]
     assert len(rows) == 2
     assert rows[0][0].value == 'company_id'
     assert rows[1][0].value == undertaking.external_id
@@ -54,7 +54,7 @@ def test_export_companies_domain_filter(client):
         f.close()
     wb = load_workbook(fn)
     assert len(wb.worksheets) == 1
-    rows = wb.worksheets[0].rows
+    rows = [row for row in wb.worksheets[0].rows]
     assert len(rows) == 2
     assert rows[0][0].value == 'company_id'
     assert rows[1][0].value == undertaking.external_id
@@ -90,7 +90,7 @@ def test_user_list_export(client):
         f.close()
     wb = load_workbook(fn)
     assert len(wb.worksheets) == 1
-    rows = wb.worksheets[0].rows
+    rows =  [row for row in wb.worksheets[0].rows]
     assert rows[0][0].value == 'username'
     assert rows[1][0].value == user.username
     assert rows[0][1].value == 'companyname'