Bump pyo3 from 0.13.2 to 0.17.1 in /src/rust #81

dependabot · 2022-08-29T09:21:42Z

Bumps pyo3 from 0.13.2 to 0.17.1.

Release notes

PyO3 0.17.1

This release contains some minor bug fixes for PyO3 0.17.0. In particular the new PyDictItems, PyDictKeys and PyDictValues types are actually accessible!

Thanks to @davidhewitt, @messense and @PrettyWood for the fixes.

PyO3 0.17.0

This release contains a focus on quality improvements over the PyO3 0.16 releases.

There have been new API types added such as PyDictKeys, PyDictValues, PyDictItems, PyCode, PyFrame, and PySuper. The PyMapping and PySequence types have changed so they are more directly compatible with the corresponding Python Mapping and Sequence base classes in the collections.abc module (this is a breaking change).

A new #[pyclass(frozen)] option has been added to opt-out of runtime borrow checking by removing the ability to access &mut self for objects owned by Python.

There have been a number of soundness fixes, both to the PyCapsule type (see the CHANGELOG for more details) and to a number of FFI bindings which had fallen out of sync with newer Python and PyPy releases.

There have been numerous other smaller improvements, changes and fixes. For full details see the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following users' commits are included in this release:

@acshi @aganders3 @alex @birkenfeld @cjermain @Cryptex-github @cuishuang @davidhewitt @drewkett @dswij @herquan @hoodmane @ikrivosheev @indygreg @jeertmans @jinlow @jonaspleyer @kngwyu @mejrs @messense @n8henrie @PigeonF @PWhiddy @ravenexp @savente93 @yankun1992 @yodaldevoid

PyO3 0.16.6

This release is a tactical set of soundness fixes identified for the PyCapsule bindings released in PyO3 0.16. To avoid breaking API changes capsules created with PyCapsule::new and PyCapsule::new_with_destructor will now leak their contents (and not call the destructor) if released on a thread other than the one they were created.

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.17.1] - 2022-08-28

Fixed

Fix visibility of PyDictItems, PyDictKeys, and PyDictValues types added in PyO3 0.17.0.

Fix compile failure when using #[pyo3(from_py_with = "...")] attribute on an argument of type Option<T>. #2592

Fix clippy redundant-closure lint on **kwargs arguments for #[pyfunction] and #[pymethods]. #2595

[0.17.0] - 2022-08-23

Packaging

Update inventory dependency to 0.3 (the multiple-pymethods feature now requires Rust 1.62 for correctness). #2492

Added

Add timezone_utc. #1588

Implement ToPyObject for [T; N]. #2313

Add PyDictKeys, PyDictValues and PyDictItems Rust types. #2358

Add append_to_inittab. #2377

Add FFI definition PyFrame_GetCode. #2406

Add PyCode and PyFrame high level objects. #2408

Add FFI definitions Py_fstring_input, sendfunc, and _PyErr_StackItem. #2423

Add PyDateTime::new_with_fold, PyTime::new_with_fold, PyTime::get_fold, and PyDateTime::get_fold for PyPy. #2428

Accept #[pyo3(name)] on enum variants. #2457

Add CompareOp::matches to implement __richcmp__ as the result of a Rust std::cmp::Ordering comparison. #2460

Add PySuper type. #2486

Support PyPy on Windows with the generate-import-lib feature. #2506

Add FFI definitions Py_EnterRecursiveCall and Py_LeaveRecursiveCall. #2511

Add PyDict::get_item_with_error. #2536

Add #[pyclass(sequence)] option. #2567

Changed

Change datetime constructors taking a tzinfo to take Option<&PyTzInfo> instead of Option<&PyObject>: PyDateTime::new, PyDateTime::new_with_fold, PyTime::new, and PyTime::new_with_fold. #1588

Move PyTypeObject::type_object method to the PyTypeInfo trait, and deprecate the PyTypeObject trait. #2287

Methods of Py and PyAny now accept impl IntoPy<Py<PyString>> rather than just &str to allow use of the intern! macro. #2312

Change the deprecated pyproto feature to be opt-in instead of opt-out. #2322

Emit better error messages when #[pyfunction] return types do not implement IntoPy. #2326

Require T: IntoPy for impl<T, const N: usize> IntoPy<PyObject> for [T; N] instead of T: ToPyObject. #2326

Deprecate the ToBorrowedObject trait. #2333

Iterators over PySet and PyDict will now panic if the underlying collection is mutated during the iteration. #2380

Iterators over PySet and PyDict will now panic if the underlying collection is mutated during the iteration. #2380

Allow #[classattr] methods to be fallible. #2385

Prevent multiple #[pymethods] with the same name for a single #[pyclass]. #2399

Fixup lib_name when using PYO3_CONFIG_FILE. #2404

Add a message to the ValueError raised by the #[derive(FromPyObject)] implementation for a tuple struct. #2414

Allow #[classattr] methods to take Python argument. #2456

Rework PyCapsule type to resolve soundness issues: #2485

PyCapsule::new and PyCapsule::new_with_destructor now take name: Option<CString> instead of &CStr.

... (truncated)

Commits

caaf7bb release: 0.17.1
511303a Merge pull request #2599 from davidhewitt/no-main-gh-pages
3e15bb9 gh-pages: stop building guide for main
9e9e913 Merge pull request #2595 from davidhewitt/kwargs-clippy
058af11 pyfunction: fix clippy lint on **kwargs argument
73c8532 Merge pull request #2592 from davidhewitt/issue-2280
9d543b3 pyfunction: fix from_py_with on Option<T> argument
f927cdb Merge pull request #2558 from mejrs/cargo
611ecc1 fix: export new dict views types (#2590)
c28e919 Merge pull request #2589 from davidhewitt/netlify-redirects
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.13.2 to 0.17.1. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](PyO3/pyo3@v0.13.2...v0.17.1) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

guardrails · 2022-08-29T09:23:13Z

⚠️ We detected 55 security issues in this pull request:

Mode: paranoid | Total findings: 55 | Considered vulnerability: 55

Insecure Use of Dangerous Function (4)

Docs

Details

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 532 in 6410900

strcpy((char *)p, name);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 334 in 6410900

char dest[1];

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 210 in 6410900

n = (int)read(fd, buffer, (size_t)size);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 522 in 6410900

len = strlen(name);

More info on how to fix Insecure Use of Dangerous Function in C/C++.

Insecure Access Control (1)

Docs

Details

💡

Title: Use of dangerous functions, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 106 in 6410900

int fd = open(path, open_flags);

More info on how to fix Insecure Access Control in C/C++.

Hard-Coded Secrets (50)

Docs

Details

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt

Line 4 in 6410900

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DSA/FIPS_186-2/KeyPair.rsp

Line 21 in 6410900

X = AC5862F9B6CD0B2E68B8784199A9883A94C10079

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt

Line 21 in 6410900

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡