Upgrades bundled to 3.0.8

CHANGELOG.md

@@ -3,6 +3,32 @@
 CHANGELOG
 VINCE Coordination platform code
 
+Version 3.0.8 2024-10-14
+
+* Fixed a potential security issue with pickle DOS reported by @coldwaterq [coldwaterq](https://github.com/coldwaterq) as [CVE-2024-9953](https://www.cve.org/CVERecord?id=CVE-2024-9953) resolved in 3.0.8
+* Dependabot update recommendations: `django` 4.2.14 to 4.2.16
+* Fixed bug that interfered in certain circumstances with email sending functionality
+
+
+Version 3.0.7 2024-09-10
+
+* Dependabot update recommendations: `cryptography` 42.0.4 to 43.0.1
+* Made the activity section of the VINCE Track case page load async (Internal-767)
+* Set the owner field options on the VT case and ticket search page to change dynamically with the selected teams (Internal-754)
+* Resolved bug that prevented VT users from being able to reply to certain messages within VINCE Comm (Internal-700)
+* Removed condition preventing display of buttons for accessing the vendor association process on certain tickets (Internal-588)
+* Fixed bug that caused certain outgoing VINCE emails to contain bad links to case pages (Internal-770)
+* Added code to ensure emails from `settings.IGNORE_EMAILS_TO` (donotreply@) include prominent indication that replies will not be read (Internal-771)
+
+
+Version 3.0.6 2024-07-29
+
+* Fixed bug that interfered in certain circumstances with processing of contact associations (Internal-763)
+* Modified code to ensure that user verification emails only go to group admins and notification-only email addresses (Internal-765)
+* Adjusted redirect process after adding vul to a case so that the user lands on the case vul tab (Internal-766)
+* Amended code for autoassigning tickets from the ticket page so as to avoid redirect bug (Internal-761)
+
+
 Version 3.0.5 2024-07-17
 
 * Dependabot update recommendations: `urllib3` 1.26.18 to 1.26.19, `certifi` 2023.7.22 to 2024.7.4, `zipp` 3.10.1 to 1.19.1 `Django` 4.2.11 to 4.2.14

bigvince/settings_.py

@@ -54,7 +54,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "3.0.5"
+VERSION = "3.0.8"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

requirements.txt

@@ -20,11 +20,11 @@ chardet==5.0.0
 charset-normalizer==2.1.1
 click==8.1.3
 colorama==0.4.4
-cryptography==42.0.4
+cryptography==43.0.1
 cvelib==1.3.0
 Deprecated==1.2.13
 dictdiffer==0.9.0
-Django==4.2.14
+Django==4.2.16
 django-appconf==1.0.5
 django-countries==7.4.2
 django-environ==0.9.0
@@ -42,7 +42,7 @@ fs-s3fs==1.1.1
 idna==3.7
 importlib-metadata==5.0.0
 importlib-resources==5.10.0
-install==1.3.5
+pip-install==1.3.5
 jmespath==1.0.1
 jsonschema==4.17.0
 kombu==5.2.4

vince/mailer.py

@@ -673,9 +673,16 @@ def send_templated_mail(
         .replace("\r", "")
     )
 
+    if sender == None:
+        sender = f"{settings.DEFAULT_VISIBLE_NAME} <{settings.DEFAULT_FROM_EMAIL}>"
+
     footer_file = os.path.join("vince-email", locale, "email_text_footer.txt")
 
-    text_part = from_string("%s{%% include '%s' %%}" % (t.plain_text, footer_file)).render(context)
+    if settings.DEFAULT_FROM_EMAIL in sender:
+        header = "=======================================================================\nTHIS IS AN AUTOMATED EMAIL.\nTHIS EMAIL IS SENT FROM AN ACCOUNT THAT IS NOT MONITORED.\nDO NOT REPLY TO THIS EMAIL, OR WE WILL BE UNABLE TO RESPOND.\n=======================================================================\n\n"
+        text_part = header + from_string("%s{%% include '%s' %%}" % (t.plain_text, footer_file)).render(context)
+    else:
+        text_part = from_string("%s{%% include '%s' %%}" % (t.plain_text, footer_file)).render(context)
 
     email_html_base_file = os.path.join("vince-email", locale, "email_html_inline.html")
     # keep new lines in html emails
@@ -708,9 +715,6 @@ def send_templated_mail(
     elif type(recipients) != list:
         recipients = [recipients]
 
-    if sender == None:
-        sender = f"{settings.DEFAULT_VISIBLE_NAME} <{settings.DEFAULT_FROM_EMAIL}>"
-
     # remove recipients who have bounced recently
     try:
         if bcc == None:
@@ -791,7 +795,9 @@ def send_templated_mail(
                         msg.attach(filename, content)
 
     logger.debug(
-        'Sending email using template {} with subject "{}" to {!r}'.format(template_name, subject_part, recipients)
+        'Sending email using template {} with subject "{}" from {} to {!r}'.format(
+            template_name, subject_part, sender, recipients
+        )
     )
 
     try:
@@ -1021,7 +1027,11 @@ def send_submitter_email_notification(contacts, ticket, subject, body, vtcr=None
 
     if vtcr:
         context["vrf"] = vtcr.vrf_id
-        context["caseurl"] = f"{settings.KB_SERVER_NAME}{vtcr.get_absolute_url()}"
+    try:
+        if vtcr.new_vuid:
+            context["caseurl"] = f"{settings.KB_SERVER_NAME}{vtcr.get_absolute_url()}"
+    except:
+        logger.debug("no new_vuid found")
 
     send_templated_mail("blank_body", context, contacts, html=False)
 
@@ -1040,6 +1050,10 @@ def send_regular_email_notification(contacts, subject, body):
     context["subject"] = subject
     context["signup_url"] = f"{settings.KB_SERVER_NAME}/vince/comm/signup/"
 
+    logger.debug(
+        f"send_regular_email_notification is running and settings.DEFAULT_REPLY_EMAIL is {settings.DEFAULT_REPLY_EMAIL}"
+    )
+
     send_templated_mail(
         "blank_body_no_sig", context, contacts, sender=settings.DEFAULT_REPLY_EMAIL, html=False, replyto=False
     )

vince/models.py

@@ -4082,44 +4082,32 @@ class UserSettings(models.Model):
     contacts_write = models.BooleanField(
         help_text=_('Does this user have permissions to add/edit VINCE contacts'),
         default=True)
+
+    #Mass unpickled has been removed for safety
 
     def _set_settings(self, data):
         # data should always be a Python dictionary.
+        sdata = {}
         if not isinstance(data,dict):
-            logger.warn("Non dictionary item sent to pickle %s" % str(data))
-            data = {}        
+            logger.warn("Non dictionary item sent to settings %s" % str(data))
         try:
-            import pickle
-        except ImportError:
-            import cPickle as pickle
-        from base64 import encodebytes as b64encode
-        self.settings_pickled = b64encode(pickle.dumps(data)).decode()
+            sdata = json.dumps(data)
+        except Exception as e:
+            logger.warn("Non JSON dictionary item sent to settings %s, error is %s" % str(data), e)
+        self.settings_pickled = sdata
 
     def _get_settings(self):
         # return a python dictionary representing the pickled data.
-        try:
-            import pickle
-        except ImportError:
-            import cPickle as pickle
-        class RestrictedUnpickler(pickle.Unpickler):
-            def find_class(self, module, name):
-                """ If find_class gets called then return error """
-                raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
-                                             (module, name))
-        try:
-            from base64 import decodebytes as b64decode
-            if self.settings_pickled:
-                s = b64decode(self.settings_pickled.encode('utf-8'))
-                #replacement for pickle.loads()
-                return RestrictedUnpickler(io.BytesIO(s)).load()
-            else:
-                return {}
-        except (pickle.UnpicklingError, AttributeError) as e:
-            logger.warn("Error when trying to unpickle data %s " %(str(e)))
-            return {}
-        except Exception as e:
-            logger.warn("Generic error when trying to unpickle data %s " %(str(e)))
-            return {}
+        if self.settings_pickled:
+            try:
+                data = json.loads(self.settings_pickled)
+                if isinstance(data,dict):
+                    return data
+                else:
+                    logger.warn("Non dictionary item sent to settings %s" % str(data))
+            except Exception as e:
+                logger.warn("Generic error when trying to json parse data %s " %(str(e)))
+        return {}
 
     settings = property(_get_settings, _set_settings)
 
@@ -4640,4 +4628,4 @@ class VinceAlerts(models.Model):
         # or maybe something else
         blank=True,
         null=True,
-    )
+    )