From 34fc85940e0cae0e3bfc47fe28229466c9af3487 Mon Sep 17 00:00:00 2001
From: Francis Charette Migneault <francis.charette.migneault@gmail.com>
Date: Thu, 23 May 2024 17:30:21 -0400
Subject: [PATCH] update requests>=2.32 and docker>=7.1 (address
 CVE-2024-35195, closes #650, closes #651)

---
 CHANGES.rst      | 8 +++-----
 requirements.txt | 8 ++------
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 487cba50d..089198c63 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -41,13 +41,11 @@ Fixes:
 - Fix `CWL` ``Workflow`` resolution of step ``requirements`` from one of the `Weaver` application types
   (i.e.: ``builtin``, ``docker``, ``ESGF-CWT``, ``OGCAPI``, ``WPS1``) due to ``cwltool`` namespace adding a
   prefixed URI.
-- Pin ``requests!=2.32`` to avoid issue with ``docker-py`` custom adapter not (yet) supporting it
+- Pin ``requests>=2.32`` and ``docker>=7.1`` (Python Package) to address
+  `CVE-2024-35195 <https://nvd.nist.gov/vuln/detail/CVE-2024-35195>`_ to avoid inconsistent ``verify``
+  option over multiple requests when using a session
   (relates to `psf/requests#6710 <https://github.com/psf/requests/pull/6710>`_
   and `docker/docker-py#3257 <https://github.com/docker/docker-py/pull/3257>`_).
-  Pinning ``requests>=2.32.2`` *should* be applied when possible (when ``docker-py`` is released) to address
-  `CVE-2024-35195 <https://nvd.nist.gov/vuln/detail/CVE-2024-35195>`_. However, the corresponding ``verify=False``
-  option affected by this CVE is not recommended for use in `Weaver`, and should be avoided entirely anyway.
-  Could affect *requests options* if the corresponding ``verify: false`` configuration was employed.
 
 .. _changes_5.3.0:
 
diff --git a/requirements.txt b/requirements.txt
index dda827ae9..14db157f9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -33,7 +33,7 @@ cryptography
 # (https://github.com/common-workflow-language/common-workflow-language/issues/587)
 ### git+https://github.com/crim-ca/cwltool@docker-gpu#egg=cwltool
 cwltool==3.1.20230906142556
-docker
+docker>=7.1
 duration
 esgf-compute-api @ git+https://github.com/ESGF/esgf-compute-api.git@v2.3.7
 # invalid 'zarr' requirement in 'geotiff' dependencies required by 'pywps' fail to install
@@ -82,11 +82,7 @@ pytz
 pywps==4.6.0
 pyyaml>=5.2
 rdflib>=5  # pyup: ignore
-# FIXME: temporary workaround
-# 'requests=2.32' needed for CVE-2024-35195
-# (https://github.com/psf/requests/releases/tag/v2.32.0, https://github.com/psf/requests/pull/6710)
-# however, https://github.com/docker/docker-py/pull/3257 not yet released, 'docker-py' broken by 'requests=2.32' change
-requests!=2.32.*
+requests>=2.32
 requests_file
 ruamel.yaml>=0.16
 # force use of later mistune (https://github.com/common-workflow-language/schema_salad/pull/619#issuecomment-1346025607)