[Snyk: Low -Research] Directory Traversal (due 05/04/2021)

[fec-jli]

Updating this ticket from a Snyk issue to a research ticket because of how extensive it could be. Because Django on egres is 1.11.29 and we need to bump Django to 2.x or 3.x, we'll be upgrading Django 1-2 major versions for egregs / regulations-site / regulations-core / regulations-parser. Lots of possible complications.

Snyk notes

ref: https://app.snyk.io/vuln/SNYK-PYTHON-DJANGO-1066259

Vulnerable module: django
django@1.11.29, django-overextends@0.4.3 and others
No known exploit
2.2.18, 3.0.12, 3.1.6

django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Directory Traversal via the django.utils.archive.extract() function, which is used by startapp --template and startproject --template. This can happen via an archive with absolute paths or relative paths with dot segments.

Remediation: Upgrade django to version 2.2.18, 3.0.12, 3.1.6 or higher.

Completion Criteria

• Researched and documented possible errors
• Created a ticket to resolve any errors found during research
• Resolve the Snyk warning (by doing the upgrade(s))

[patphongs]

The following are incompatible with Django 2.2.18:

regcore 4.2.0 has requirement django<1.12,>=1.8, but you'll have django 2.2.18 which is incompatible.
networkx 2.5.1 has requirement decorator<5,>=4.3, but you'll have decorator 5.0.6 which is incompatible.
django-overextends 0.4.3 has requirement django<2.0,>=1.8, but you'll have django 2.2.18 which is incompatible.
regulations 8.4.2 has requirement django<1.12,>=1.8, but you'll have django 2.2.18 which is incompatible.

[patphongs]

Django patch in version 2.2.x

[patphongs]

This vulnerability is not an issue for us as there is no upload capability. Closing this issue.