[AUTO-CHERRYPICK] python-werkzeug: Patch CVE-2024-34069 - branch main (#9118)

Co-authored-by: Jonathan Behrens <jbehrens@microsoft.com>
2024-05-28 09:57:50 -07:00 · 2024-05-28 09:57:50 -07:00 · 4c410bbcd1
--- a/SPECS/python-werkzeug/CVE-2024-34069.patch
+++ b/SPECS/python-werkzeug/CVE-2024-34069.patch
@ -0,0 +1,203 @@
+From 404082ffe6f1ef9541d01434aebb789363567df9 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Thu, 2 May 2024 11:55:52 -0700
+Subject: [PATCH 1/2] restrict debugger trusted hosts
+
+Add a list of `trusted_hosts` to the `DebuggedApplication` middleware. It defaults to only allowing `localhost`, `.localhost` subdomains, and `127.0.0.1`. `run_simple(use_debugger=True)` adds its `hostname` argument to the trusted list as well. The middleware can be used directly to further modify the trusted list in less common development scenarios.
+
+The debugger UI uses the full `document.location` instead of only `document.location.pathname`.
+
+Either of these fixes on their own mitigates the reported vulnerability.
+---
+ src/werkzeug/debug/__init__.py        | 10 ++++++++++
+ src/werkzeug/debug/shared/debugger.js |  4 ++--
+ src/werkzeug/serving.py               |  3 +++
+ 3 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
+index 3b04b534..c5fffdec 100644
+--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
+@@ -297,6 +297,14 @@ class DebuggedApplication:
+         else:
+             self.pin = None
+ 
+        self.trusted_hosts: list[str] = [".localhost", "127.0.0.1"]
+        """List of domains to allow requests to the debugger from. A leading dot
+        allows all subdomains. This only allows ``".localhost"`` domains by
+        default.
+
+        .. versionadded:: 3.0.3
+        """
+
+     @property
+     def pin(self) -> str | None:
+         if not hasattr(self, "_pin"):
+@@ -505,6 +513,8 @@ class DebuggedApplication:
+         # form data!  Otherwise the application won't have access to that data
+         # any more!
+         request = Request(environ)
+        request.trusted_hosts = self.trusted_hosts
+        assert request.host  # will raise 400 error if not trusted
+         response = self.debug_application
+         if request.args.get("__debugger__") == "yes":
+             cmd = request.args.get("cmd")
+diff --git a/src/werkzeug/debug/shared/debugger.js b/src/werkzeug/debug/shared/debugger.js
+index f463e9c7..18c65834 100644
+--- a/src/werkzeug/debug/shared/debugger.js
+++ b/src/werkzeug/debug/shared/debugger.js
+@@ -48,7 +48,7 @@ function initPinBox() {
+       btn.disabled = true;
+ 
+       fetch(
+-        `${document.location.pathname}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
+        `${document.location}?__debugger__=yes&cmd=pinauth&pin=${pin}&s=${encodedSecret}`
+       )
+         .then((res) => res.json())
+         .then(({auth, exhausted}) => {
+@@ -79,7 +79,7 @@ function promptForPin() {
+   if (!EVALEX_TRUSTED) {
+     const encodedSecret = encodeURIComponent(SECRET);
+     fetch(
+-      `${document.location.pathname}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
+      `${document.location}?__debugger__=yes&cmd=printpin&s=${encodedSecret}`
+     );
+     const pinPrompt = document.getElementsByClassName("pin-prompt")[0];
+     fadeIn(pinPrompt);
+diff --git a/src/werkzeug/serving.py b/src/werkzeug/serving.py
+index c031dc45..f940ca38 100644
+--- a/src/werkzeug/serving.py
+++ b/src/werkzeug/serving.py
+@@ -1066,6 +1066,9 @@ def run_simple(
+         from .debug import DebuggedApplication
+ 
+         application = DebuggedApplication(application, evalex=use_evalex)
+        # Allow the specified hostname to use the debugger, in addition to
+        # localhost domains.
+        application.trusted_hosts.append(hostname)
+ 
+     if not is_running_from_reloader():
+         fd = None
+-- 
+2.34.1
+
+
+From 813580c5d9c7b18d8df5cfe042034eba60f794f4 Mon Sep 17 00:00:00 2001
+From: David Lord <davidism@gmail.com>
+Date: Fri, 3 May 2024 14:49:43 -0700
+Subject: [PATCH 2/2] only require trusted host for evalex
+
+---
+ src/werkzeug/debug/__init__.py | 25 ++++++++++++++++++++-----
+ src/werkzeug/sansio/utils.py   |  2 +-
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
+index c5fffdec..c90d94d7 100644
+--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
+@@ -19,7 +19,9 @@ from zlib import adler32
+ 
+ from .._internal import _log
+ from ..exceptions import NotFound
+from ..exceptions import SecurityError
+ from ..http import parse_cookie
+from ..sansio.utils import host_is_trusted
+ from ..security import gen_salt
+ from ..utils import send_file
+ from ..wrappers.request import Request
+@@ -351,7 +353,7 @@ class DebuggedApplication:
+ 
+             is_trusted = bool(self.check_pin_trust(environ))
+             html = tb.render_debugger_html(
+-                evalex=self.evalex,
+                evalex=self.evalex and self.check_host_trust(environ),
+                 secret=self.secret,
+                 evalex_trusted=is_trusted,
+             )
+@@ -379,6 +381,9 @@ class DebuggedApplication:
+         frame: DebugFrameSummary | _ConsoleFrame,
+     ) -> Response:
+         """Execute a command in a console."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         contexts = self.frame_contexts.get(id(frame), [])
+ 
+         with ExitStack() as exit_stack:
+@@ -389,6 +394,9 @@ class DebuggedApplication:
+ 
+     def display_console(self, request: Request) -> Response:
+         """Display a standalone shell."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         if 0 not in self.frames:
+             if self.console_init_func is None:
+                 ns = {}
+@@ -441,12 +449,18 @@ class DebuggedApplication:
+             return None
+         return (time.time() - PIN_TIME) < ts
+ 
+    def check_host_trust(self, environ: WSGIEnvironment) -> bool:
+        return host_is_trusted(environ.get("HTTP_HOST"), self.trusted_hosts)
+
+     def _fail_pin_auth(self) -> None:
+         time.sleep(5.0 if self._failed_pin_auth > 5 else 0.5)
+         self._failed_pin_auth += 1
+ 
+     def pin_auth(self, request: Request) -> Response:
+         """Authenticates with the pin."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         exhausted = False
+         auth = False
+         trust = self.check_pin_trust(request.environ)
+@@ -496,8 +510,11 @@ class DebuggedApplication:
+             rv.delete_cookie(self.pin_cookie_name)
+         return rv
+ 
+-    def log_pin_request(self) -> Response:
+    def log_pin_request(self, request: Request) -> Response:
+         """Log the pin if needed."""
+        if not self.check_host_trust(request.environ):
+            return SecurityError()  # type: ignore[return-value]
+
+         if self.pin_logging and self.pin is not None:
+             _log(
+                 "info", " * To enable the debugger you need to enter the security pin:"
+@@ -513,8 +530,6 @@ class DebuggedApplication:
+         # form data!  Otherwise the application won't have access to that data
+         # any more!
+         request = Request(environ)
+-        request.trusted_hosts = self.trusted_hosts
+-        assert request.host  # will raise 400 error if not trusted
+         response = self.debug_application
+         if request.args.get("__debugger__") == "yes":
+             cmd = request.args.get("cmd")
+@@ -526,7 +541,7 @@ class DebuggedApplication:
+             elif cmd == "pinauth" and secret == self.secret:
+                 response = self.pin_auth(request)  # type: ignore
+             elif cmd == "printpin" and secret == self.secret:
+-                response = self.log_pin_request()  # type: ignore
+                response = self.log_pin_request(request)  # type: ignore
+             elif (
+                 self.evalex
+                 and cmd is not None
+diff --git a/src/werkzeug/sansio/utils.py b/src/werkzeug/sansio/utils.py
+index 48ec1bfa..14fa0ac8 100644
+--- a/src/werkzeug/sansio/utils.py
+++ b/src/werkzeug/sansio/utils.py
+@@ -8,7 +8,7 @@ from ..exceptions import SecurityError
+ from ..urls import uri_to_iri
+ 
+ 
+-def host_is_trusted(hostname: str, trusted_list: t.Iterable[str]) -> bool:
+def host_is_trusted(hostname: str | None, trusted_list: t.Iterable[str]) -> bool:
+     """Check if a host matches a list of trusted names.
+ 
+     :param hostname: The name to check.
+-- 
+2.34.1
+
--- a/SPECS/python-werkzeug/python-werkzeug.spec
+++ b/SPECS/python-werkzeug/python-werkzeug.spec
@ -1,7 +1,7 @@
 Summary:        The Swiss Army knife of Python web development
 Name:           python-werkzeug
 Version:        2.3.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -18,6 +18,7 @@ Patch0:         0001-enable-tests-in-rpm-env.patch
 # and are excluded.
 Patch1:         0002-disable-stat-test.patch
 Patch2:         CVE-2023-46136.patch
+Patch3:         CVE-2024-34069.patch
 BuildArch:      noarch

 %description
@ -70,6 +71,9 @@ pip3 install -r requirements/tests.txt
 %license LICENSE.rst

 %changelog
+* Tue May 14 2024 Jonathan Behrens <jbehrens@microsoft.com> - 2.3.7-2
+- Patch CVE-2024-34069
+
 * Mon Nov 06 2023 Nick Samson <nisamson@microsoft.com> - 2.3.7-1
 - Upgraded to version 2.3.7
 - Migrated to pyproject build