From 94d5afa63761f63c4a9c56b4942ff29d92b22fce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Behmo?= Date: Mon, 22 Jan 2024 09:37:29 +0100 Subject: [PATCH 1/2] fix: security issues with jinja2 and pycryptodome See: https://github.com/overhangio/tutor/security/dependabot/32 https://github.com/overhangio/tutor/security/dependabot/29 --- requirements/base.txt | 4 ++-- requirements/dev.txt | 4 ++-- requirements/docs.txt | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/requirements/base.txt b/requirements/base.txt index 53ea284..1526e68 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -20,7 +20,7 @@ google-auth==2.23.3 # via kubernetes idna==3.4 # via requests -jinja2==3.1.2 +jinja2==3.1.3 # via -r requirements/base.in kubernetes==28.1.0 # via -r requirements/base.in @@ -40,7 +40,7 @@ pyasn1==0.5.0 # rsa pyasn1-modules==0.3.0 # via google-auth -pycryptodome==3.19.0 +pycryptodome==3.20.0 # via -r requirements/base.in python-dateutil==2.8.2 # via kubernetes diff --git a/requirements/dev.txt b/requirements/dev.txt index fd7ba3e..3515973 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -74,7 +74,7 @@ jeepney==0.8.0 # via # keyring # secretstorage -jinja2==3.1.2 +jinja2==3.1.3 # via # -r requirements/base.txt # scriv @@ -136,7 +136,7 @@ pyasn1-modules==0.3.0 # google-auth pycparser==2.21 # via cffi -pycryptodome==3.19.0 +pycryptodome==3.20.0 # via -r requirements/base.txt pygments==2.16.1 # via diff --git a/requirements/docs.txt b/requirements/docs.txt index c4f5c6e..8acbfb5 100644 --- a/requirements/docs.txt +++ b/requirements/docs.txt @@ -44,7 +44,7 @@ imagesize==1.4.1 # via sphinx importlib-metadata==6.8.0 # via sphinx -jinja2==3.1.2 +jinja2==3.1.3 # via # -r requirements/base.txt # sphinx @@ -76,7 +76,7 @@ pyasn1-modules==0.3.0 # via # -r requirements/base.txt # google-auth -pycryptodome==3.19.0 +pycryptodome==3.20.0 # via -r requirements/base.txt pygments==2.16.1 # via sphinx From b832f519cab71795e4ef4a0fe6eb01adf8de2fe9 Mon Sep 17 00:00:00 2001 From: ravikhetani Date: Mon, 22 Jan 2024 12:18:29 +0000 Subject: [PATCH 2/2] fix: correctly render .webp and .otf files in env This partially addresses #985. --------- Co-authored-by: Ravi Khetani --- changelog.d/20240118_155012_r.khetani.md | 1 + tutor/env.py | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 changelog.d/20240118_155012_r.khetani.md diff --git a/changelog.d/20240118_155012_r.khetani.md b/changelog.d/20240118_155012_r.khetani.md new file mode 100644 index 0000000..fdd4fa9 --- /dev/null +++ b/changelog.d/20240118_155012_r.khetani.md @@ -0,0 +1 @@ +[Improvement] Add `.webp` and. `.otf` extensions to list of binary extensions to ignore when rendering templates. \ No newline at end of file diff --git a/tutor/env.py b/tutor/env.py index cccce94..5e668b8 100644 --- a/tutor/env.py +++ b/tutor/env.py @@ -15,7 +15,17 @@ from tutor.types import Config, ConfigValue TEMPLATES_ROOT = pkg_resources.resource_filename("tutor", "templates") VERSION_FILENAME = "version" -BIN_FILE_EXTENSIONS = [".ico", ".jpg", ".patch", ".png", ".ttf", ".woff", ".woff2"] +BIN_FILE_EXTENSIONS = [ + ".ico", + ".jpg", + ".otf", + ".patch", + ".png", + ".ttf", + ".webp", + ".woff", + ".woff2", +] JinjaFilter = t.Callable[..., t.Any]