Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[High Priority] Fix Snyk vulnerability: Upgrade celery, vine, click #5088

Merged
merged 6 commits into from
May 5, 2022
Merged

[High Priority] Fix Snyk vulnerability: Upgrade celery, vine, click #5088

merged 6 commits into from
May 5, 2022

Conversation

johnnyporkchops
Copy link
Contributor

@johnnyporkchops johnnyporkchops commented Mar 25, 2022
edited by pkfec
Loading

Summary

This is due 03/29/22 so we need to get it in upcoming release

Upgrade to Celery 5.x has breaking changes:

  • command to start the celery app has changed:
 - celery --app webservices.tasks  beat 
 - celery --app webservices.tasks worker

Upgrading Celery for Snyk recommended remediation path caused compatibility errors when installing requirements.
Screen Shot 2022-03-24 at 9 04 39 PM
So I updated Click and Vine as well, Now requirements can be installed without error and Pytest passes,

  1. Update click python package in: requirements-dev.txt
  2. Update celery, kombu, redis python packages in: requirements.txt
  3. Update the celery startup command in dev/feature/stage and prod manifest files

Required reviewers

Two backend developers must. @johnnyporkchops git didn't let me add you to the reviewers list. please feel free to test this PR if your time permits.

Impacted areas of the application

Celery tasks, Export results (download results set in fec.gov)

How to test

  • git checkout 5017-snyk-medium-Celery-stored-command-injection
  • pyenv virtualenv 3.7.12 venv-api3712
  • pyenv activate venv-api3712
  • pip install -r requirements.txt
  • pip install -r requirements-dev.txt
  • rm -rf node_modules (optional step)
  • npm i (optional step)
  • npm run build (optional step)
  • pytest(all tests should pass)
  • test downloads and celery tasks on local.Follow the wiki instructions
  • use this command to start celery worker on cli: celery --app webservices.tasks worker --loglevel INFO

OR

Deploy this PR to Dev space:

  • In tasks.py update:

DEPLOY_RULES = (

('dev', lambda _, branch: branch == '5017-snyk-medium-Celery-stored-command-injection'),

)

Note: I will the update the wiki after this PR is merged

@johnnyporkchops johnnyporkchops removed the request for review from cnlucas March 25, 2022 13:59
@johnnyporkchops johnnyporkchops changed the title [Snyk: Medium] Upgrade celery, vine, click [Before 4/5/22 Release] Fix Snyk vulnerability: Upgrade celery, vine, click Mar 26, 2022
@fec-jli
Copy link
Contributor

fec-jli commented Mar 28, 2022
edited
Loading

The current celery version in requirement.txt, we should check kombu version:
celery==4.3.0 # if celery version is updated, need to verify compatibility with kombu and ensure correct version of kombu is pinned above

openFEC/requirements.txt

Line 42 in f24487c

celery==4.3.0 # if celery version is updated, need to verify compatibility with kombu and ensure correct version of kombu is pinned above

@johnnyporkchops
Copy link
Contributor Author

The current celery version in requirement.txt, we should check kombu version:
celery==4.3.0 # if celery version is updated, need to verify compatibility with kombu and ensure correct version of kombu is pinned above

@jun, Kombu is updated to 5.24

@pkfec
Copy link
Contributor

pkfec commented Mar 29, 2022

@johnnyporkchops Deployed a test branch to Dev space. Downloads failed with the following error.

   2022-03-29T10:23:35.80-0400 [APP/PROC/WEB/0] ERR An API error occurred with the status code of 500 (__init__() got an unexpected keyword argument 'username').
   2022-03-29T10:23:35.80-0400 [APP/PROC/WEB/0] OUT ERROR:webservices.rest:An API error occurred with the status code of 500 (__init__() got an unexpected keyword argument 'username').
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR [2022-03-29 14:23:35 +0000] [129] [ERROR] Error handling request /v1/download/totals/pac-party/?api_key=XXXXX&api_key=&sort_hide_null=false&sort_nulls_last=true&cycle=2022&sort=-receipts
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR Traceback (most recent call last):
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR File "/home/vcap/deps/0/python/lib/python3.7/site-packages/kombu/utils/functional.py", line 30, in __call__
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR return self.__value__
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR AttributeError: 'ChannelPromise' object has no attribute '__value__'
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR During handling of the above exception, another exception occurred:
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR Traceback (most recent call last):
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR File "/home/vcap/deps/0/python/lib/python3.7/site-packages/kombu/transport/virtual/base.py", line 925, in create_channel
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR return self._avail_channels.pop()
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR IndexError: pop from empty list
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR During handling of the above exception, another exception occurred:
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR Traceback (most recent call last):
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR File "/home/vcap/deps/0/python/lib/python3.7/site-packages/redis/connection.py", line 988, in get_connection
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR connection = self._available_connections.pop()
   2022-03-29T10:23:35.81-0400 [APP/PROC/WEB/0] ERR IndexError: pop from empty list

@pkfec pkfec force-pushed the 5017-snyk-medium-Celery-stored-command-injection branch from 841ad1a to 3c26aa1 Compare March 29, 2022 15:37
@pkfec
Copy link
Contributor

pkfec commented Mar 29, 2022
edited
Loading

@johnnyporkchops There are breaking changes in celery 5.X.X.
I just found out the way we start the celery worker has changed:

celery v4.3.0:
5088-venv) macadmins-mbp-5:openFEC pkasireddy$ celery worker --app webservices.tasks --loglevel INFO

celery v5.X.X: (5088-venv) macadmins-mbp-5:openFEC pkasireddy$ celery --app webservices.tasks worker --loglevel INFO

@johnnyporkchops johnnyporkchops changed the title [Before 4/5/22 Release] Fix Snyk vulnerability: Upgrade celery, vine, click [High Priority] Fix Snyk vulnerability: Upgrade celery, vine, click Apr 4, 2022
@pkfec pkfec force-pushed the 5017-snyk-medium-Celery-stored-command-injection branch from 3c26aa1 to d13e6d2 Compare May 4, 2022 10:42
@pkfec pkfec removed their request for review May 4, 2022 19:48
@pkfec pkfec force-pushed the 5017-snyk-medium-Celery-stored-command-injection branch from 7404944 to c9de44e Compare May 4, 2022 20:09
@codecov-commenter
Copy link

codecov-commenter commented May 4, 2022
edited
Loading

Codecov Report

Merging #5088 (e085d49) into develop (8e99aca) will not change coverage.
The diff coverage is n/a.

❗ Current head e085d49 differs from pull request most recent head 6132acd. Consider uploading reports for the commit 6132acd to get more accurate results

@@           Coverage Diff            @@
##           develop    #5088   +/-   ##
========================================
  Coverage    85.75%   85.75%           
========================================
  Files           81       81           
  Lines         7721     7721           
========================================
  Hits          6621     6621           
  Misses        1100     1100

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8e99aca...6132acd. Read the comment docs.

@pkfec pkfec requested a review from cnlucas May 4, 2022 21:25
@pkfec pkfec self-assigned this May 4, 2022
@pkfec pkfec force-pushed the 5017-snyk-medium-Celery-stored-command-injection branch 2 times, most recently from bb13896 to e085d49 Compare May 4, 2022 22:26
@pkfec pkfec force-pushed the 5017-snyk-medium-Celery-stored-command-injection branch from e085d49 to 6132acd Compare May 4, 2022 22:32
@johnnyporkchops
Copy link
Contributor Author

@pkfec Everything looks good! Great job

fec-jli
fec-jli approved these changes May 5, 2022
View reviewed changes
Copy link
Contributor

@fec-jli fec-jli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We deploy on dev. works as expected.
Thanks. good job.

cnlucas
cnlucas approved these changes May 5, 2022
View reviewed changes
Copy link
Member

@cnlucas cnlucas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything worked as expected and thank you for pairing with the test call @fec-jli and @pkfec

@cnlucas cnlucas merged commit 166c167 into develop May 5, 2022
@pkfec pkfec deleted the 5017-snyk-medium-Celery-stored-command-injection branch May 4, 2023 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fec-jli fec-jli fec-jli approved these changes

@cnlucas cnlucas cnlucas approved these changes

@hcaofec hcaofec Awaiting requested review from hcaofec

Assignees

@pkfec pkfec

Labels
Please review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Snyk: Medium] Celery - Stored Command Injection (03/29/2022)
5 participants
@johnnyporkchops @fec-jli @pkfec @codecov-commenter @cnlucas