Crypt-Server icon indicating copy to clipboard operation
Crypt-Server copied to clipboard
verified publisher icon grahamgilbert

Snyk fix f83e2319f63a812f2483f6c46f230f1a

Open tylerwhardy opened this issue 11 months ago • 2 comments

Security Fix PR

Snyk and manual analysis has created this pull request to fix 4 high-severity vulnerabilities found in the Dockerfile dependencies for this project. Keeping your Docker base image up to date ensures your application benefits from critical security patches and upstream improvements.

🔧 Changes made:

  • Updated base image from a vulnerable version to python:3.12-alpine, which is currently supported and stable.
  • Avoided using python:3.14-rc-alpine3.20 due to incompatibilities with native bindings, particularly with the cryptography package (which relies on Python C-ABI compatibility).

🛡️ Vulnerabilities addressed:

Severity Issue Snyk ID Score
High Resource Exhaustion SNYK-ALPINE316-EXPAT-6241145 614
High Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion) SNYK-ALPINE316-EXPAT-6446350 614
High Out-of-bounds Write SNYK-ALPINE316-NCURSES-5606597 614
High Out-of-Bounds SNYK-ALPINE316-SQLITE-6179509 614

📝 Additional Notes:

  • The cryptographic layer was preserved by staying on a stable Python 3.12 release, ensuring compatibility with the cryptography and cffi libraries.
    • Please note this is not the most recent build; however, this is the most recent image that allows pinned dependencies to work correctly still.

Please review and test this PR. If your application works as expected, we recommend merging it to ensure continued security hardening.

tylerwhardy avatar May 11 '25 15:05 tylerwhardy

Hi @tylerwhardy - this is failing CI, could you please take a look and get the tests passing before I can accept this.

grahamgilbert avatar May 15 '25 15:05 grahamgilbert

Hi @grahamgilbert . The problem appears to be a missing environmental variable from your CircleCI configuration. This appears to be the reason that other CICD pipes are failing.

Youll need to open Circle CI, click the Crypt-Server project > Environmental Variables > Add Environment Variable > NAME: FIELD_ENCRYPTION_KEY VALUE: where you generate a fernet key with this Python script: from cryptography.fernet import Fernet key = Fernet.generate_key() print(key.decode())

Since CircleCI runs in an isolated container, it does not appear to be possible to dynamically inject environment variables. This appears to pass tests under my CircleCI account after following the above steps: image

tylerwhardy avatar May 15 '25 18:05 tylerwhardy