Not compatible with Werkzeug > 2.1.2

Question

Not compatible with Werkzeug > 2.1.2

sqall01 opened this issue 2 years ago · 4 comments

We have an application using Flask-Login and Werkzeug. However, after rebuilding it our audit pass told us that Werkzeug in version 2.1.2 has two vulnerabilities:

GHSA-xg9f-g7g7-2323 (high severity)
GHSA-px8h-6qxv-m22q (low severity)

After upgrading to Werkzeug 2.2.3 we can no longer run the application. We get the following error:

ImportError: cannot import name 'parse_rule' from 'werkzeug.routing'

According to this stackoverflow post it is because parse_rule() has being marked as :internal: in the newest Werkzeug versions. However, since we have a high severity vulnerability in Werkzeug, it is no longer a workaround to keep the Werkzeug version at 2.1.2.

Best regards,
Andre

Answer 1 · 2023-02-16T12:48:33.000Z

TL,DR; Update to Flask-Login 0.6.2. #686

Answer 2 · 2023-02-16T14:11:07.000Z

You are using an unsupported version of Flask-Login, please update to the latest version (0.6.2) if possible.

When writing an application, you must use a tool like pip-tools to pin your application's full dependency tree. This gives you reproducible deployments, allowing you to control when you get updates.

Answer 3 · 2023-02-22T06:00:01.000Z

I am using Flask-Login in version 0.6.2.

Here is the list of installed packages:

certifi==2022.12.7
charset-normalizer==2.0.12
click==8.1.3
Flask==2.0.3
Flask-Classful==0.14.2
Flask-Login==0.6.2
gitdb==4.0.10
GitPython==3.1.30
greenlet==2.0.2
idna==3.4
iptools==0.7.0
itsdangerous==2.1.2
Jinja2==3.1.2
MarkupSafe==2.1.2
psycopg2-binary==2.9.4
pycryptodome==3.12.0
python-dotenv==0.21.1
PyYAML==5.4.1
requests==2.27.1
smmap==5.0.0
splunk-sdk==1.6.20
SQLAlchemy==1.4.46
urllib3==1.26.14
uWSGI==2.0.21
Werkzeug==2.2.3

@davidism can you please re-open the issue? Otherwise I have to create a new one with the same content.

Answer 4 · 2023-02-22T13:20:59.000Z

Sorry, we can't help you here. You'll need to debug your project yourself. If you post a new issue with the same content, it will not help you get an answer here.

I do not get that error when using the latest version of Flask and Flask-Login, however you've listed many more dependencies. You've only posted the error message, not the traceback, so perhaps the actual traceback points to a different dependency. A good way to debug this is to create a minimal, reproducible example and look at the full traceback.