From f55e86f173b00536fba65463cb4441841de8434d Mon Sep 17 00:00:00 2001 From: S Anand Date: Mon, 23 Oct 2023 18:14:24 +0800 Subject: [PATCH] FIX: Fix type error in CORS headers I was using the set union operator | on 2 lists. Fixed it --- gramex/handlers/basehandler.py | 4 ++-- reports/trivy.txt | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/gramex/handlers/basehandler.py b/gramex/handlers/basehandler.py index c2495d39..2a52ce3a 100644 --- a/gramex/handlers/basehandler.py +++ b/gramex/handlers/basehandler.py @@ -241,7 +241,7 @@ def _cors_options(self, *args, **kwargs): # Check if headers is in cors.headers headers = self.request.headers.get('Access-Control-Request-Headers', '') - headers = self.get_list(headers, 'headers', '', caps=False) + headers = self.get_list(headers, 'headers', '', caps=False)) allowed_headers = {h.lower() for h in self._cors['headers']} diff = set() if '*' not in allowed_headers: @@ -260,7 +260,7 @@ def _cors_options(self, *args, **kwargs): self._all_methods if '*' in self._cors['methods'] else ', '.join(self._cors['methods']) ) self.set_header('Access-Control-Allow-Methods', methods) - headers |= self._cors['headers'] + headers = set(headers) | set(self._cors['headers']) if '*' in headers: headers.remove('*') headers.update(self._all_headers) diff --git a/reports/trivy.txt b/reports/trivy.txt index 50fbc5cb..dd07b4fc 100644 --- a/reports/trivy.txt +++ b/reports/trivy.txt @@ -1,16 +1,20 @@ -gramener/gramex:1.93.1 (alpine 3.17.5) +gramener/gramex:1.93.2 (alpine 3.17.5) ====================================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) Python (python-pkg) =================== -Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0) +Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0) -┌─────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────┐ -│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ -├─────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────┤ -│ cryptography (METADATA) │ GHSA-v8gr-m533-ghj9 │ LOW │ fixed │ 41.0.3 │ 41.0.4 │ Vulnerable OpenSSL included in cryptography wheels │ -│ │ │ │ │ │ │ https://github.com/advisories/GHSA-v8gr-m533-ghj9 │ -└─────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────┘ +┌─────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────┐ +│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ +├─────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────┤ +│ cryptography (METADATA) │ GHSA-v8gr-m533-ghj9 │ LOW │ fixed │ 41.0.3 │ 41.0.4 │ Vulnerable OpenSSL included in cryptography wheels │ +│ │ │ │ │ │ │ https://github.com/advisories/GHSA-v8gr-m533-ghj9 │ +├─────────────────────────┼─────────────────────┼──────────┤ ├───────────────────┼────────────────┼─────────────────────────────────────────────────────┤ +│ urllib3 (METADATA) │ CVE-2023-43804 │ MEDIUM │ │ 1.26.16 │ 2.0.6, 1.26.17 │ `Cookie` HTTP header isn't stripped on cross-origin │ +│ │ │ │ │ │ │ redirects │ +│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-43804 │ +└─────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────┘