Bump pyo3 from 0.13.2 to 0.17.2 in /src/rust #87

dependabot · 2022-10-04T09:45:15Z

Bumps pyo3 from 0.13.2 to 0.17.2.

Release notes

PyO3 0.17.2

This release contains non-breaking improvements and bugfixes over PyO3 0.17.1.

A new chrono feature has been added to support converting from types in chrono to types in the Python datetime module. The num-bigint feature has been expanded to add support to PyPy.

There has also been fixes for a couple of regressions observed in PyO3 0.17.

Thank you to the following users for the improvements:

@adamreichold @AdilZouitine @davidhewitt @messense @mrob95 @Oppen @prehner @Psykopear @ryanrussell @smheidrich @SquidDev

PyO3 0.17.1

This release contains some minor bug fixes for PyO3 0.17.0. In particular the new PyDictItems, PyDictKeys and PyDictValues types are actually accessible!

Thanks to @davidhewitt, @messense and @PrettyWood for the fixes.

PyO3 0.17.0

This release contains a focus on quality improvements over the PyO3 0.16 releases.

There have been new API types added such as PyDictKeys, PyDictValues, PyDictItems, PyCode, PyFrame, and PySuper. The PyMapping and PySequence types have changed so they are more directly compatible with the corresponding Python Mapping and Sequence base classes in the collections.abc module (this is a breaking change).

A new #[pyclass(frozen)] option has been added to opt-out of runtime borrow checking by removing the ability to access &mut self for objects owned by Python.

There have been a number of soundness fixes, both to the PyCapsule type (see the CHANGELOG for more details) and to a number of FFI bindings which had fallen out of sync with newer Python and PyPy releases.

There have been numerous other smaller improvements, changes and fixes. For full details see the CHANGELOG.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following users' commits are included in this release:

@acshi @aganders3 @alex @birkenfeld @cjermain @Cryptex-github @cuishuang @davidhewitt @drewkett

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.17.2] - 2022-10-04

Packaging

Added optional chrono feature to convert chrono types into types in the datetime module. #2612

Added

Add support for num-bigint feature on PyPy. #2626

Fixed

Correctly implement __richcmp__ for enums, fixing __ne__ returning always returning True. #2622

Fix compile error since 0.17.0 with Option<&SomePyClass> argument with a default. #2630

Fix regression of impl FromPyObject for Vec<T> no longer accepting types passing PySequence_Check, e.g. NumPy arrays, since 0.17.0. #2631

[0.17.1] - 2022-08-28

Fixed

Fix visibility of PyDictItems, PyDictKeys, and PyDictValues types added in PyO3 0.17.0.

Fix compile failure when using #[pyo3(from_py_with = "...")] attribute on an argument of type Option<T>. #2592

Fix clippy redundant-closure lint on **kwargs arguments for #[pyfunction] and #[pymethods]. #2595

[0.17.0] - 2022-08-23

Packaging

Update inventory dependency to 0.3 (the multiple-pymethods feature now requires Rust 1.62 for correctness). #2492

Added

Add timezone_utc. #1588

Implement ToPyObject for [T; N]. #2313

Add PyDictKeys, PyDictValues and PyDictItems Rust types. #2358

Add append_to_inittab. #2377

Add FFI definition PyFrame_GetCode. #2406

Add PyCode and PyFrame high level objects. #2408

Add FFI definitions Py_fstring_input, sendfunc, and _PyErr_StackItem. #2423

Add PyDateTime::new_with_fold, PyTime::new_with_fold, PyTime::get_fold, and PyDateTime::get_fold for PyPy. #2428

Accept #[pyo3(name)] on enum variants. #2457

Add CompareOp::matches to implement __richcmp__ as the result of a Rust std::cmp::Ordering comparison. #2460

Add PySuper type. #2486

Support PyPy on Windows with the generate-import-lib feature. #2506

Add FFI definitions Py_EnterRecursiveCall and Py_LeaveRecursiveCall. #2511

Add PyDict::get_item_with_error. #2536

Add #[pyclass(sequence)] option. #2567

Changed

... (truncated)

Commits

067f564 release: 0.17.2
a549c55 guide: doctest function/ subpages
2708270 docs: note that #[pymodule] will create hidden module, like #[pyfunction]
470acbb Improve PyLong/PyFloat doc links to PyAny::extract
023d7fe Fix links to ToPyObject in types docs
de980c7 docs: fixed typo in error_handling.md
faf1f0e Document needing resolve-config for pyo3 cfgs
9b42daa Fix pyo3-build-config version in docs
fa6e199 Add git repository and edit urls to user guide (#2635)
5adccb2 fixup 1.64
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.13.2 to 0.17.2. - [Release notes](https://github.com/pyo3/pyo3/releases) - [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md) - [Commits](PyO3/pyo3@v0.13.2...v0.17.2) --- updated-dependencies: - dependency-name: pyo3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

guardrails · 2022-10-04T09:46:36Z

⚠️ We detected 55 security issues in this pull request:

Mode: paranoid | Total findings: 55 | Considered vulnerability: 55

Insecure Use of Dangerous Function (4)

Docs

Details

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 532 in 6c8255d

strcpy((char *)p, name);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 334 in 6c8255d

char dest[1];

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 210 in 6c8255d

n = (int)read(fd, buffer, (size_t)size);

💡

Title: Buffer overflow, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 522 in 6c8255d

len = strlen(name);

More info on how to fix Insecure Use of Dangerous Function in C/C++.

Insecure Access Control (1)

Docs

Details

💡

Title: Use of dangerous functions, Severity: Critical

cryptography/src/_cffi_src/openssl/src/osrandom_engine.c

Line 106 in 6c8255d

int fd = open(path, open_flags);

More info on how to fix Insecure Access Control in C/C++.

Hard-Coded Secrets (50)

Docs

Details

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/dhkey_rfc5114_2.txt

Line 4 in 6c8255d

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DSA/FIPS_186-2/KeyPair.rsp

Line 21 in 6c8255d

X = AC5862F9B6CD0B2E68B8784199A9883A94C10079

💡

Title: Twilio API Key, Severity: Medium

cryptography/vectors/cryptography_vectors/asymmetric/DH/RFC5114.txt

Line 21 in 6c8255d

    
           G = AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA

💡