Merge pull request #164 from ds-wizard/hotfix/4.2.1

Hotfix 4.2.1

packages/dsw-command-queue/CHANGELOG.md

@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+Released for version consistency with other DSW tools.
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -169,3 +173,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-command-queue/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-command-queue'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Library for working with command queue and persistent commands'
 readme = 'README.md'
 keywords = ['dsw', 'subscriber', 'publisher', 'database', 'queue', 'processing']
@@ -25,7 +25,7 @@ classifiers = [
 requires-python = '>=3.10, <4'
 dependencies = [
     # DSW
-    "dsw-database==4.2.0",
+    "dsw-database==4.2.1",
 ]
 
 [project.urls]

packages/dsw-config/CHANGELOG.md

@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+Released for version consistency with other DSW tools.
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -177,3 +181,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-config/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-config'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Library for DSW config manipulation'
 readme = 'README.md'
 keywords = ['dsw', 'config', 'yaml', 'parser']

packages/dsw-data-seeder/CHANGELOG.md

@@ -8,6 +8,12 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+### Fixed
+
+- Update base Docker images (due to [CVE-2023-7104](https://nvd.nist.gov/vuln/detail/CVE-2023-7104))
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -223,3 +229,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-data-seeder/Dockerfile

@@ -1,4 +1,4 @@
-FROM datastewardshipwizard/python-base:4.1.0-3.11-basic as builder
+FROM datastewardshipwizard/python-base:4.2.1-3.11-basic as builder
 
 WORKDIR /app
 
@@ -12,7 +12,7 @@ RUN python -m pip wheel --no-cache-dir --wheel-dir=/app/wheels -r /app/packages/
  && python -m pip wheel --no-cache-dir --no-deps --wheel-dir=/app/wheels /app/packages/dsw-data-seeder
 
 
-FROM datastewardshipwizard/python-base:4.1.0-3.11-basic
+FROM datastewardshipwizard/python-base:4.2.1-3.11-basic
 
 ENV APPLICATION_CONFIG_PATH /app/config/application.yml
 ENV WORKDIR_PATH /home/user/data
@@ -28,7 +28,7 @@ RUN mkdir -p /home/user/data
 
 # Install Python packages
 COPY --from=builder --chown=user:user /app/wheels /home/user/wheels
-RUN python -m pip install --user --no-cache --no-index /home/user/wheels/*  \
+RUN python -m pip install --break-system-packages --user --no-cache --no-index /home/user/wheels/*  \
  && rm -rf /home/user/wheels
 
 # Run

packages/dsw-data-seeder/dsw/data_seeder/consts.py

@@ -6,4 +6,4 @@
 DEFAULT_PLACEHOLDER = '<<|TENANT-ID|>>'
 NULL_UUID = '00000000-0000-0000-0000-000000000000'
 PROG_NAME = 'dsw-data-seeder'
-VERSION = '4.2.0'
+VERSION = '4.2.1'

packages/dsw-data-seeder/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-data-seeder'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Worker for seeding DSW data'
 readme = 'README.md'
 keywords = ['data', 'database', 'seed', 'storage']
@@ -29,10 +29,10 @@ dependencies = [
     'sentry-sdk',
     'tenacity',
     # DSW
-    "dsw-command-queue==4.2.0",
-    "dsw-config==4.2.0",
-    "dsw-database==4.2.0",
-    "dsw-storage==4.2.0",
+    "dsw-command-queue==4.2.1",
+    "dsw-config==4.2.1",
+    "dsw-database==4.2.1",
+    "dsw-storage==4.2.1",
 ]
 
 [project.urls]

packages/dsw-database/CHANGELOG.md

@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+Released for version consistency with other DSW tools.
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -184,3 +188,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-database/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-database'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Library for managing DSW database'
 readme = 'README.md'
 keywords = ['dsw', 'database']
@@ -26,7 +26,7 @@ dependencies = [
     'psycopg[binary]',
     'tenacity',
     # DSW
-    "dsw-config==4.2.0",
+    "dsw-config==4.2.1",
 ]
 
 [project.urls]

packages/dsw-document-worker/CHANGELOG.md

@@ -8,6 +8,13 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+### Fixed
+
+- Use Jinja2 sandboxing
+- Update base Docker images (due to [CVE-2023-7104](https://nvd.nist.gov/vuln/detail/CVE-2023-7104))
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -220,3 +227,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-document-worker/Dockerfile

@@ -1,4 +1,4 @@
-FROM datastewardshipwizard/python-base:4.1.0-3.11-docworker as builder
+FROM datastewardshipwizard/python-base:4.2.1-3.11-docworker as builder
 
 ARG TARGETARCH
 
@@ -14,11 +14,10 @@ RUN python -m pip wheel --wheel-dir=/app/wheels -r /app/packages/dsw-document-wo
  && python -m pip wheel --no-deps --wheel-dir=/app/wheels /app/packages/dsw-config \
  && python -m pip wheel --no-deps --wheel-dir=/app/wheels /app/packages/dsw-database \
  && python -m pip wheel --no-deps --wheel-dir=/app/wheels /app/packages/dsw-storage \
- && python -m pip wheel --wheel-dir=/app/wheels /app/packages/dsw-document-worker/addons/* \
- && python -m pip install --no-index /app/wheels/* \
+ && python -m pip wheel --no-deps --wheel-dir=/app/wheels /app/packages/dsw-document-worker/addons/* \
  && python -m pip wheel --no-deps --wheel-dir=/app/wheels /app/packages/dsw-document-worker
 
-FROM datastewardshipwizard/python-base:4.1.0-3.11-docworker
+FROM datastewardshipwizard/python-base:4.2.1-3.11-docworker
 
 ENV APPLICATION_CONFIG_PATH /app/config/application.yml
 ENV WORKDIR_PATH /tmp/docworker
@@ -38,7 +37,7 @@ COPY --chown=user:user packages/dsw-document-worker/data /home/user/data
 
 # Install Python packages
 COPY --from=builder --chown=user:user /app/wheels /home/user/wheels
-RUN python -m pip install --user --no-cache --no-index /home/user/wheels/*  \
+RUN python -m pip install --break-system-packages --user --no-cache --no-index /home/user/wheels/*  \
  && rm -rf /home/user/wheels
 
 # Run

packages/dsw-document-worker/addons/pandoc-docx-pagebreak-py/setup.py

@@ -15,14 +15,12 @@
         "Topic :: Software Development :: Build Tools",
         "License :: OSI Approved :: MIT License",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.4",
-        "Programming Language :: Python :: 3.5",
-        "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.11",
     ],
     keywords="pandoc filter docx",
     py_modules=["docx_pagebreak"],
     install_requires=[
-        "panflute==2.0.5",
+        "panflute==2.3.0",
     ],
     entry_points={
         "console_scripts": [

packages/dsw-document-worker/dsw/document_worker/consts.py

@@ -6,7 +6,7 @@
 EXIT_SUCCESS = 0
 NULL_UUID = '00000000-0000-0000-0000-000000000000'
 PROG_NAME = 'docworker'
-VERSION = '4.2.0'
+VERSION = '4.2.1'
 
 
 class DocumentState:

packages/dsw-document-worker/dsw/document_worker/templates/steps/template.py

@@ -1,5 +1,8 @@
+import typing as t
+
 import jinja2
 import jinja2.exceptions
+import jinja2.sandbox
 import json
 
 from typing import Any
@@ -25,6 +28,16 @@ def execute_follow(self, document: DocumentFile, context: dict) -> DocumentFile:
         return self.raise_exc(f'Step "{self.NAME}" cannot process other files')
 
 
+class JinjaEnvironment(jinja2.sandbox.SandboxedEnvironment):
+
+    def is_safe_attribute(self, obj: t.Any, attr: str, value: t.Any) -> bool:
+        if attr in ['os', 'subprocess', 'eval', 'exec', 'popen', 'system']:
+            return False
+        if attr == '__setitem__' and isinstance(obj, dict):
+            return True
+        return super().is_safe_attribute(obj, attr, value)
+
+
 class Jinja2Step(Step):
     NAME = 'jinja'
     DEFAULT_FORMAT = FileFormats.HTML
@@ -60,7 +73,7 @@ def __init__(self, template, options: dict):
 
         self.output_format = FileFormat(self.extension, self.content_type, self.extension)
         try:
-            self.j2_env = jinja2.Environment(
+            self.j2_env = JinjaEnvironment(
                 loader=jinja2.FileSystemLoader(searchpath=template.template_dir),
                 extensions=[
                     'jinja2.ext.do',

packages/dsw-document-worker/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-document-worker'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Worker for assembling and transforming documents'
 readme = 'README.md'
 keywords = ['documents', 'generation', 'jinja2', 'pandoc', 'worker']
@@ -40,10 +40,10 @@ dependencies = [
     'weasyprint',
     'XlsxWriter',
     # DSW
-    "dsw-command-queue==4.2.0",
-    "dsw-config==4.2.0",
-    "dsw-database==4.2.0",
-    "dsw-storage==4.2.0",
+    "dsw-command-queue==4.2.1",
+    "dsw-config==4.2.1",
+    "dsw-database==4.2.1",
+    "dsw-storage==4.2.1",
 ]
 
 [project.urls]

packages/dsw-document-worker/requirements.txt

@@ -13,6 +13,7 @@ Markdown==3.5.1
 MarkupSafe==2.1.3
 mdx-breakless-lists==1.0.1
 minio==7.1.17
+panflute==2.3.0
 pathvalidate==3.2.0
 pdfrw==0.4
 Pillow==10.1.0

packages/dsw-mailer/CHANGELOG.md

@@ -8,6 +8,13 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+### Fixed
+
+- Use Jinja2 sandboxing
+- Update base Docker images (due to [CVE-2023-7104](https://nvd.nist.gov/vuln/detail/CVE-2023-7104))
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -192,3 +199,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1

packages/dsw-mailer/Dockerfile

@@ -1,4 +1,4 @@
-FROM datastewardshipwizard/python-base:4.1.0-3.11-basic as builder
+FROM datastewardshipwizard/python-base:4.2.1-3.11-basic as builder
 
 WORKDIR /app
 
@@ -10,7 +10,7 @@ RUN python -m pip wheel --no-cache-dir --wheel-dir=/app/wheels -r /app/packages/
  && python -m pip wheel --no-cache-dir --no-deps --wheel-dir=/app/wheels /app/packages/dsw-database \
  && python -m pip wheel --no-cache-dir --no-deps --wheel-dir=/app/wheels /app/packages/dsw-mailer
 
-FROM datastewardshipwizard/python-base:4.1.0-3.11-basic
+FROM datastewardshipwizard/python-base:4.2.1-3.11-basic
 
 ENV APPLICATION_CONFIG_PATH /app/config/application.yml
 ENV WORKDIR_PATH /home/user/templates
@@ -28,7 +28,7 @@ COPY --chown=user:user packages/dsw-mailer/templates /home/user/templates
 
 # Install Python packages
 COPY --from=builder --chown=user:user /app/wheels /home/user/wheels
-RUN python -m pip install --user --no-cache --no-index /home/user/wheels/*  \
+RUN python -m pip install --break-system-packages --user --no-cache --no-index /home/user/wheels/*  \
  && rm -rf /home/user/wheels
 
 # Run

packages/dsw-mailer/dsw/mailer/consts.py

@@ -5,4 +5,4 @@
 DEFAULT_ENCODING = 'utf-8'
 NULL_UUID = '00000000-0000-0000-0000-000000000000'
 PROG_NAME = 'dsw-mailer'
-VERSION = '4.2.0'
+VERSION = '4.2.1'

packages/dsw-mailer/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = 'setuptools.build_meta'
 
 [project]
 name = 'dsw-mailer'
-version = "4.2.0"
+version = "4.2.1"
 description = 'Worker for sending email notifications'
 readme = 'README.md'
 keywords = ['email', 'jinja2', 'notification', 'template']
@@ -31,9 +31,9 @@ dependencies = [
     'sentry-sdk',
     'tenacity',
     # DSW
-    "dsw-command-queue==4.2.0",
-    "dsw-config==4.2.0",
-    "dsw-database==4.2.0",
+    "dsw-command-queue==4.2.1",
+    "dsw-config==4.2.1",
+    "dsw-database==4.2.1",
 ]
 
 [project.urls]

packages/dsw-models/CHANGELOG.md

@@ -8,6 +8,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
 
+## [4.2.1]
+
+Released for version consistency with other DSW tools.
+
 ## [4.2.0]
 
 Released for version consistency with other DSW tools.
@@ -100,3 +104,4 @@ Released for version consistency with other DSW tools.
 [4.1.0]: /../../tree/v4.1.0
 [4.1.1]: /../../tree/v4.1.1
 [4.2.0]: /../../tree/v4.2.0
+[4.2.1]: /../../tree/v4.2.1