Commit graph

16 commits

Author SHA1 Message Date
dependabot[bot]
cbbe67dcae
Merge pull request #159 from pinterest/dependabot/pip/cryptography-37.0.2 2022-05-17 18:57:29 +00:00
Jon Parise
68c5f14cd4
Remove dependency on six (#160)
We no longer need six now that we require Python 3.x.
2022-05-17 11:10:58 -07:00
dependabot[bot]
c491c621d2
Bump cryptography from 3.3.2 to 37.0.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.3.2 to 37.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.3.2...37.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-05-17 18:05:11 +00:00
dependabot[bot]
188f0f6779
Bump jinja2 from 2.10.1 to 2.11.3
Bumps [jinja2](https://github.com/pallets/jinja) from 2.10.1 to 2.11.3.
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/master/CHANGES.rst)
- [Commits](https://github.com/pallets/jinja/compare/2.10.1...2.11.3)

Signed-off-by: dependabot[bot] <support@github.com>
2021-03-19 21:58:30 +00:00
dependabot[bot]
5dc2161a5d
Bump cryptography from 3.2 to 3.3.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 3.2 to 3.3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/3.2...3.3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2021-02-10 01:36:07 +00:00
dependabot[bot]
50ef7bef82
Bump cryptography from 2.3.1 to 3.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.3.1 to 3.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.3.1...3.2)

Signed-off-by: dependabot[bot] <support@github.com>
2020-10-27 21:00:15 +00:00
Jeremiah Lee
2af7037feb
Adds option for two-week timeout. (#120)
Also includes:

- Updated the versions in the requirements, as MarkupSafe did not install cleanly.
- Integration test that sets a password via the website, and then
verifies the timeout on the backend.
- Basic Makefile, updates to the docs to use the Makefile.

The requirements file was updated using pip freeze after I had updated the version of MarkupSafe. I don't know what the usual process is for this repo, so please let me know if I should use a different process there (that is why there are a few additions).
2020-05-08 11:43:54 -07:00
Samuel Dion-Girardeau
f377aa3ed2 Add support for Python 3.8 (#115)
* Remove Travis Python 3.7 hack

No longer necessary: 3.7 is supported out-of-the-box

* Add support for Python 3.8

And explicitly document in setup.py

* "Upgrade base Docker image to Python 3.8"a

* Add entry about py38 support in WIP changelog

* Explicitly declare python versions in setup.py

* Bump Werkzeug to 0.15.6

This is the latest 0.15 version. 0.16 might be incompatible

The fix we are looking for is in [0.15.5](http://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5):

> Fix a TypeError due to changes to ast.Module in Python 3.8.
2019-11-25 08:58:29 -08:00
dependabot[bot]
b3e1068c01
Bump werkzeug from 0.14.1 to 0.15.3
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 0.14.1 to 0.15.3.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/master/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/0.14.1...0.15.3)

Signed-off-by: dependabot[bot] <support@github.com>
2019-08-21 16:50:22 +00:00
Jon Parise
2aa7272a59
Upgrade to Jinja2 2.10.1 (#101)
This patch release fixes a security issue (CVE-2019-10906) involving
str.format_map.
2019-04-12 13:26:46 -07:00
Jon Parise
30db653f14 Upgrade to cryptography 2.3.1
This addresses CVE-2018-10903:

    A flaw was found in python-cryptography versions between >=1.9.0 and
    <2.3. The finalize_with_tag API did not enforce a minimum tag
    length. If a user did not validate the input length prior to passing
    it to finalize_with_tag an attacker could craft an invalid payload
    with a shortened tag (e.g. 1 byte) such that they would have a 1 in
    256 chance of passing the MAC check. GCM tag forgeries can cause key
    leakage.

... although snappass isn't affected because we doesn't use the
vulnerable `finalize_with_tag` API.
2018-10-31 09:39:18 -07:00
Samuel Dion-Girardeau
5981884cd2 Update all Python requirements to latest stable
All PyPI packages now have the latest version available.
2018-07-12 21:23:25 -04:00
Nicholas Charriere
75b6a6919f Make mock a requirement, not dev-requirement 2018-05-07 08:23:30 -07:00
Samuel Dion-Girardeau
dc6054f09c Encrypt passwords stored in Redis
Using symmetric encryption in the `cryptography`'s `Fernet` class,
we can ensure that no one can snoop the passwords simply by having access
to the Redis store.

An encryption key is sent to the secret receiver, along with the 32 character
Redis key that identifies the secret, which is needed to decrypt the password.
2017-05-11 21:28:22 -04:00
Samuel Dion-Girardeau
a8401434cb Bump flask to 0.11.1
One of the main advantages is the easy debug mode,
with autoreload capabilities.

Several other fixes & features:
http://flask.pocoo.org/docs/0.11/changelog/#version-0-11
2016-08-22 20:32:22 -04:00
Dave Dash
eefe2bdc76 Prepare snappass for distribution. 2013-10-05 23:10:50 -07:00