Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: update dependency jinja2 to v3.1.4 [security] #2742

Merged

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented May 6, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Jinja2 (changelog) ==3.1.3 -> ==3.1.4 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-34064

The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.


Release Notes

pallets/jinja (Jinja2)

v3.1.4

Compare Source

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, >
    greater-than sign, or = equals sign, in addition to disallowing spaces.
    Regardless of any validation done by Jinja, user input should never be used
    as keys to this filter, or must be separately validated first.
    :ghsa:h75v-3vvj-5mfj

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot requested a review from a team as a code owner May 6, 2024 21:45
@trusted-contributions-gcf trusted-contributions-gcf bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 6, 2024
@product-auto-label product-auto-label bot added the size: xs Pull request size is extra small. label May 6, 2024
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 6, 2024
@renovate-bot renovate-bot force-pushed the renovate/pypi-Jinja2-vulnerability branch from 12c4a60 to b290e40 Compare May 14, 2024 12:46
@trusted-contributions-gcf trusted-contributions-gcf bot added the owlbot:run Add this label to trigger the Owlbot post processor. label May 14, 2024
@gcf-owl-bot gcf-owl-bot bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 14, 2024
@JoeWang1127
Copy link
Collaborator

/gcbrun

Copy link

Quality Gate Passed Quality Gate passed for 'gapic-generator-java-root'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@JoeWang1127 JoeWang1127 enabled auto-merge (squash) May 14, 2024 12:56
Copy link

Quality Gate Passed Quality Gate passed for 'java_showcase_integration_tests'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@JoeWang1127 JoeWang1127 merged commit d67eaf8 into googleapis:main May 14, 2024
32 checks passed
@renovate-bot renovate-bot deleted the renovate/pypi-Jinja2-vulnerability branch May 14, 2024 13:04
JoeWang1127 added a commit that referenced this pull request May 16, 2024
🤖 I have created a release *beep* *boop*
---


<details><summary>2.40.1</summary>

##
[2.40.1](v2.40.0...v2.40.1)
(2024-05-15)


### Bug Fixes

* [common-protos] An existing method `UpdateVehicleLocation` is
([7f96074](7f96074))
* [common-protos] An existing method `UpdateVehicleLocation` is removed
from service `VehicleService`
([#2751](#2751))
([7f96074](7f96074))
* [iam] An existing method `UpdateVehicleLocation` is removed from
([4a1ae7b](4a1ae7b))
* [iam] An existing method `UpdateVehicleLocation` is removed from
service `VehicleService`
([#2752](#2752))
([4a1ae7b](4a1ae7b))
* do not populate repo level change while removing library
([#2740](#2740))
([43e62b9](43e62b9))
* only append `.api.grpc` suffix to group id if the artifact id starts
with `proto-` or `grpc-`
([#2731](#2731))
([8e87b2e](8e87b2e))
* opentelemetry-bom to be in third-party-dependencies BOM
([#2736](#2736))
([4ecc89b](4ecc89b))
* prepare to generate grafeas
([#2761](#2761))
([1114f18](1114f18))
* Replace deprecated protobuf methods.
([#2764](#2764))
([986c090](986c090))


### Dependencies

* update dependency black to v24.4.2
([#2660](#2660))
([1cbb681](1cbb681))
* update dependency com.fasterxml.jackson:jackson-bom to v2.17.1
([#2732](#2732))
([891b01d](891b01d))
* update dependency com.google.cloud:grpc-gcp to v1.6.0
([#2767](#2767))
([a39aa07](a39aa07))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2708](#2708))
([4d7d246](4d7d246))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2709](#2709))
([4e31d7d](4e31d7d))
* update dependency com.google.oauth-client:google-oauth-client-bom to
v1.36.0
([#2768](#2768))
([22b7398](22b7398))
* update dependency commons-codec:commons-codec to v1.17.0
([#2710](#2710))
([b87356c](b87356c))
* update dependency jinja2 to v3.1.4 [security]
([#2742](#2742))
([d67eaf8](d67eaf8))
* update dependency lxml to v5.2.2
([#2766](#2766))
([df7e211](df7e211))
* update dependency markupsafe to v2.1.5
([#2657](#2657))
([805baf8](805baf8))
* update dependency net.bytebuddy:byte-buddy to v1.14.15
([#2753](#2753))
([a472620](a472620))
* update dependency platformdirs to v4.2.1
([#2662](#2662))
([dbdcc91](dbdcc91))
* update googleapis/java-cloud-bom digest to db4265f
([#2755](#2755))
([908db6f](908db6f))
* update googleapis/java-cloud-bom digest to f3c611a
([#2700](#2700))
([d254e9b](d254e9b))
* update opentelemetry-java monorepo to v1.38.0
([#2769](#2769))
([0a5c7c4](0a5c7c4))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Joe Wang <[email protected]>
lqiu96 pushed a commit that referenced this pull request May 16, 2024
🤖 I have created a release *beep* *boop*
---


<details><summary>2.40.1</summary>

##
[2.40.1](v2.40.0...v2.40.1)
(2024-05-15)


### Bug Fixes

* [common-protos] An existing method `UpdateVehicleLocation` is
([7f96074](7f96074))
* [common-protos] An existing method `UpdateVehicleLocation` is removed
from service `VehicleService`
([#2751](#2751))
([7f96074](7f96074))
* [iam] An existing method `UpdateVehicleLocation` is removed from
([4a1ae7b](4a1ae7b))
* [iam] An existing method `UpdateVehicleLocation` is removed from
service `VehicleService`
([#2752](#2752))
([4a1ae7b](4a1ae7b))
* do not populate repo level change while removing library
([#2740](#2740))
([43e62b9](43e62b9))
* only append `.api.grpc` suffix to group id if the artifact id starts
with `proto-` or `grpc-`
([#2731](#2731))
([8e87b2e](8e87b2e))
* opentelemetry-bom to be in third-party-dependencies BOM
([#2736](#2736))
([4ecc89b](4ecc89b))
* prepare to generate grafeas
([#2761](#2761))
([1114f18](1114f18))
* Replace deprecated protobuf methods.
([#2764](#2764))
([986c090](986c090))


### Dependencies

* update dependency black to v24.4.2
([#2660](#2660))
([1cbb681](1cbb681))
* update dependency com.fasterxml.jackson:jackson-bom to v2.17.1
([#2732](#2732))
([891b01d](891b01d))
* update dependency com.google.cloud:grpc-gcp to v1.6.0
([#2767](#2767))
([a39aa07](a39aa07))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2708](#2708))
([4d7d246](4d7d246))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2709](#2709))
([4e31d7d](4e31d7d))
* update dependency com.google.oauth-client:google-oauth-client-bom to
v1.36.0
([#2768](#2768))
([22b7398](22b7398))
* update dependency commons-codec:commons-codec to v1.17.0
([#2710](#2710))
([b87356c](b87356c))
* update dependency jinja2 to v3.1.4 [security]
([#2742](#2742))
([d67eaf8](d67eaf8))
* update dependency lxml to v5.2.2
([#2766](#2766))
([df7e211](df7e211))
* update dependency markupsafe to v2.1.5
([#2657](#2657))
([805baf8](805baf8))
* update dependency net.bytebuddy:byte-buddy to v1.14.15
([#2753](#2753))
([a472620](a472620))
* update dependency platformdirs to v4.2.1
([#2662](#2662))
([dbdcc91](dbdcc91))
* update googleapis/java-cloud-bom digest to db4265f
([#2755](#2755))
([908db6f](908db6f))
* update googleapis/java-cloud-bom digest to f3c611a
([#2700](#2700))
([d254e9b](d254e9b))
* update opentelemetry-java monorepo to v1.38.0
([#2769](#2769))
([0a5c7c4](0a5c7c4))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Joe Wang <[email protected]>
lqiu96 pushed a commit that referenced this pull request May 22, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [Jinja2](https://togithub.com/pallets/jinja)
([changelog](https://jinja.palletsprojects.com/changes/)) | `==3.1.3` ->
`==3.1.4` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/Jinja2/3.1.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/Jinja2/3.1.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/Jinja2/3.1.3/3.1.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/Jinja2/3.1.3/3.1.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-34064](https://togithub.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj)

The `xmlattr` filter in affected versions of Jinja accepts keys
containing non-attribute characters. XML/HTML attributes cannot contain
spaces, `/`, `>`, or `=`, as each would then be interpreted as starting
a separate attribute. If an application accepts keys (as opposed to only
values) as user input, and renders these in pages that other users see
as well, an attacker could use this to inject other attributes and
perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195
only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended
use case of the `xmlattr` filter, and code that does so without
otherwise validating the input should be flagged as insecure, regardless
of Jinja version. Accepting _values_ as user input continues to be safe.

---

### Release Notes

<details>
<summary>pallets/jinja (Jinja2)</summary>

###
[`v3.1.4`](https://togithub.com/pallets/jinja/blob/HEAD/CHANGES.rst#Version-314)

[Compare
Source](https://togithub.com/pallets/jinja/compare/3.1.3...3.1.4)

Released 2024-05-05

-   The `xmlattr` filter does not allow keys with `/` solidus, `>`
greater-than sign, or `=` equals sign, in addition to disallowing
spaces.
Regardless of any validation done by Jinja, user input should never be
used
    as keys to this filter, or must be separately validated first.
    :ghsa:`h75v-3vvj-5mfj`

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/googleapis/sdk-platform-java).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNTEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
lqiu96 pushed a commit that referenced this pull request May 22, 2024
🤖 I have created a release *beep* *boop*
---


<details><summary>2.40.1</summary>

##
[2.40.1](v2.40.0...v2.40.1)
(2024-05-15)


### Bug Fixes

* [common-protos] An existing method `UpdateVehicleLocation` is
([7f96074](7f96074))
* [common-protos] An existing method `UpdateVehicleLocation` is removed
from service `VehicleService`
([#2751](#2751))
([7f96074](7f96074))
* [iam] An existing method `UpdateVehicleLocation` is removed from
([4a1ae7b](4a1ae7b))
* [iam] An existing method `UpdateVehicleLocation` is removed from
service `VehicleService`
([#2752](#2752))
([4a1ae7b](4a1ae7b))
* do not populate repo level change while removing library
([#2740](#2740))
([43e62b9](43e62b9))
* only append `.api.grpc` suffix to group id if the artifact id starts
with `proto-` or `grpc-`
([#2731](#2731))
([8e87b2e](8e87b2e))
* opentelemetry-bom to be in third-party-dependencies BOM
([#2736](#2736))
([4ecc89b](4ecc89b))
* prepare to generate grafeas
([#2761](#2761))
([1114f18](1114f18))
* Replace deprecated protobuf methods.
([#2764](#2764))
([986c090](986c090))


### Dependencies

* update dependency black to v24.4.2
([#2660](#2660))
([1cbb681](1cbb681))
* update dependency com.fasterxml.jackson:jackson-bom to v2.17.1
([#2732](#2732))
([891b01d](891b01d))
* update dependency com.google.cloud:grpc-gcp to v1.6.0
([#2767](#2767))
([a39aa07](a39aa07))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2708](#2708))
([4d7d246](4d7d246))
* update dependency com.google.errorprone:error_prone_annotations to
v2.27.1
([#2709](#2709))
([4e31d7d](4e31d7d))
* update dependency com.google.oauth-client:google-oauth-client-bom to
v1.36.0
([#2768](#2768))
([22b7398](22b7398))
* update dependency commons-codec:commons-codec to v1.17.0
([#2710](#2710))
([b87356c](b87356c))
* update dependency jinja2 to v3.1.4 [security]
([#2742](#2742))
([d67eaf8](d67eaf8))
* update dependency lxml to v5.2.2
([#2766](#2766))
([df7e211](df7e211))
* update dependency markupsafe to v2.1.5
([#2657](#2657))
([805baf8](805baf8))
* update dependency net.bytebuddy:byte-buddy to v1.14.15
([#2753](#2753))
([a472620](a472620))
* update dependency platformdirs to v4.2.1
([#2662](#2662))
([dbdcc91](dbdcc91))
* update googleapis/java-cloud-bom digest to db4265f
([#2755](#2755))
([908db6f](908db6f))
* update googleapis/java-cloud-bom digest to f3c611a
([#2700](#2700))
([d254e9b](d254e9b))
* update opentelemetry-java monorepo to v1.38.0
([#2769](#2769))
([0a5c7c4](0a5c7c4))
</details>

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Co-authored-by: Joe Wang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kokoro:force-run Add this label to force Kokoro to re-run the tests. size: xs Pull request size is extra small.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants