From 1eeaad61d9ec3fb4a1e8566257008bfbb47f9dae Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sun, 14 Jun 2026 05:59:34 +0200 Subject: [PATCH] fix(security): patch cryptography CVEs, upgrade pip at build, harden /auth/upgrade - requirements: cryptography >=46.0.7 (was pinned <46, which excluded the fix for the CVEs pip-audit flagged in our Fernet/crypto library). pip-audit now clean. - Dockerfile: upgrade pip before installing deps (patches installer-level CVEs). - auth: /auth/upgrade now defaults to the least-privileged read scope; only an explicit access=write requests the write scope. --- Dockerfile | 2 +- backend/app/auth.py | 7 ++++--- backend/requirements.txt | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37e8237..6f98c9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ ENV PYTHONDONTWRITEBYTECODE=1 \ WORKDIR /app COPY backend/requirements.txt . -RUN pip install -r requirements.txt +RUN pip install --upgrade pip && pip install -r requirements.txt COPY backend/ . COPY --from=frontend /fe/dist ./app/static_spa diff --git a/backend/app/auth.py b/backend/app/auth.py index c5b086b..787f2b7 100644 --- a/backend/app/auth.py +++ b/backend/app/auth.py @@ -213,13 +213,14 @@ def current_user(request: Request, db: Session = Depends(get_db)) -> User: @router.get("/upgrade") async def upgrade( - request: Request, access: str = "write", user: User = Depends(current_user) + request: Request, access: str = "read", user: User = Depends(current_user) ): """Incremental consent for the onboarding wizard. `access=read` grants YouTube read-only (enough to build the feed); `access=write` additionally grants management (unsubscribe). The shared callback stores whatever Google returns, so `can_read` / - `can_write` flip on once granted.""" - scope = READ_SCOPES if access == "read" else WRITE_SCOPES + `can_write` flip on once granted. Anything other than an explicit `write` defaults to + the least-privileged read scope.""" + scope = WRITE_SCOPES if access == "write" else READ_SCOPES return await oauth.google.authorize_redirect( request, settings.oauth_redirect_url, diff --git a/backend/requirements.txt b/backend/requirements.txt index 351833b..6ba02a4 100644 --- a/backend/requirements.txt +++ b/backend/requirements.txt @@ -11,4 +11,4 @@ feedparser>=6.0,<7.0 apscheduler>=3.10,<4.0 py3langid>=0.3,<1.0 itsdangerous>=2.1,<3.0 -cryptography>=42,<46 +cryptography>=46.0.7,<47