chore(deps): update dependency flask-cors to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
flask-cors	==4.0.0 -> ==6.0.0

GitHub Vulnerability Alerts

CVE-2024-1681

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to corrupt log files, potentially covering tracks of other attacks, confusing log post-processing tools, and forging log entries. The issue is due to improper output neutralization for logs.

CVE-2024-6221

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

CVE-2024-6844

A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.

CVE-2024-6866

corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the try_match function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

CVE-2024-6839

corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.

---

Release Notes

corydolphin/flask-cors (flask-cors)

v6.0.0

Compare Source

Breaking

Path specificity ordering has changed to improve specificity. This may break users who expected the previous incorrect ordering.

• [CVE-2024-6839] Sort Paths by Regex Specificity by @​adrianosela in #​391
• [CVE-2024-6844] Replace use of (urllib) unquote_plus with unquote by @​adrianosela in #​389

What's Changed

• [CVE-2024-6866] Case Sensitive Request Path Matching by @​adrianosela in #​390

Full Changelog: corydolphin/flask-cors@5.0.1...6.0.0

v5.0.1

Compare Source

What's Changed

This primarily changes packaging to use uv and a new release pipeline, along with some small documentation improvements

• [Docs] Fix links to documentation by @​coren-frankel in #​369
• Fix minor typos by @​kkirsche in #​371
• Migrate packaging and environment management to use uv by @​corydolphin in #​377
• Fix release pipeline by @​corydolphin in #​378
• Always use trusted publishing by @​corydolphin in #​379
• Workaround license publishing issue by @​corydolphin in #​380
• Fix packaging: missing source files by @​corydolphin in #​381

New Contributors

• @​coren-frankel made their first contribution in #​369
• @​kkirsche made their first contribution in #​371

Full Changelog: corydolphin/flask-cors@5.0.0...5.0.01

v5.0.0

Compare Source

What's Changed

• Breaking: Change default to disable private network access by @​corydolphin in #​368
  This effectively resolves GHSA-hxwh-jpp2-84pm https://osv.dev/vulnerability/PYSEC-2024-71

Full Changelog: corydolphin/flask-cors@4.0.2...5.0.0

v4.0.2

Compare Source

What's Changed

• Bump requests from 2.31.0 to 2.32.0 in /docs by @​dependabot in #​358
• Backwards Compatible Fix for CVE-2024-6221 by @​adrianosela in #​363
• Add unit tests for Private-Network by @​corydolphin in #​367

New Contributors

• @​dependabot made their first contribution in #​358
• @​adrianosela made their first contribution in #​363

Full Changelog: corydolphin/flask-cors@4.0.1...4.0.2

v4.0.1

Compare Source

Security

• Address CVE-2024-1681 which is a log injection vulnerability when the log level is set to debug by @​aneshujevic in #​351

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[webteam-app]

Demo

Jenkins

demos.haus

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.70%. Comparing base (8192c24) to head (20fb2d9).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1984   +/-   ##
=======================================
  Coverage   76.70%   76.70%           
=======================================
  Files          16       16           
  Lines        1588     1588           
=======================================
  Hits         1218     1218           
  Misses        370      370           

Flag	Coverage Δ
python	76.70% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.