Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Configobj as Dependency Due To Security Vulnerability and No Longer Maintaned #589

Open
aarande opened this issue Mar 5, 2024 · 5 comments
Open

Remove Configobj as Dependency Due To Security Vulnerability and No Longer Maintaned #589

aarande opened this issue Mar 5, 2024 · 5 comments

Comments

@aarande
Copy link

aarande commented Mar 5, 2024

Configobj has an identified security vulnerability and seems to be no longer maintained. Recommend removing configobj as a dependency so pyresample is not affected or limited in use because of this. It appears it is only used in one place so believe this should not be too difficult and I will look at doing it and creating a pull request. The _create_area method in area_config.py line 352 is the only place I see this is used.

Configobj has an open CVE, GHSA-c33w-24p9-8m24, All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function. There is an open issue in the github repo along with a pull request for over a year with no movement. This package appears to be unmaintained and abandoned.

DiffSK/configobj#232

Thanks,
Aaron
@djhoese
Copy link
Member

djhoese commented Mar 5, 2024

Configobj is used for parsing all legacy format areas config files. The newer format uses YAML. It would be a major deprecation to remove support for the legacy format. That said, no new uses of pyresample should be using this older format (we don't use it in Satpy for example). Dropping support for the configobj format was my plan as part of pyresample 2.0, but I'm not sure what the timeline is for that release given my funding for that type of development has dried up. I'd be OK removing it as a hard requirement with plenty of deprecation warnings added.

@mraspaud @pnuu and others, what are your thoughts?

@pnuu
Copy link
Member

pnuu commented Mar 5, 2024

I would be fine removing the legacy area definition support. I think we've had the yaml version already for so long, that even without a deprecation cycle it should be pretty safe. If someone is still using them, I doubt they'd notice the deprecation messages anyway 😅

@djhoese
Copy link
Member

djhoese commented Mar 5, 2024

If someone is still using them, I doubt they'd notice the deprecation messages anyway

This is a good point. We could have a release or two with it non-functional or with the hard requirement removed. Then in 2.0 or maybe sooner we could remove the functionality entirely.

@sfariaNG
Copy link

Is there any update on this? Can it be moved to an optional dependency?

@djhoese
Copy link
Member

djhoese commented Jul 25, 2024

I don't think anyone has worked towards this. If someone wants to make a PR where a try/except is added around all configobj usage with a nice pretty exception when someone attempts to use it then that'd be great. In that same PR it could be removed as a hard requirement in the setup.py.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@djhoese @pnuu @aarande @sfariaNG