[Dependencies] Upgrade Werkzeug to version 3.1.3 to address CVEs: CVE-2024-34069, CVE-2024-49766, CVE-2024-49767.

Connexion is upgraded to version 3.1.x, as required by the upgraded version of Werkzeug.

Signed-off-by: Giacomo Marciani <[email protected]>

Author: gmarciani

CHANGELOG.md

@@ -14,6 +14,8 @@ CHANGELOG
   - gl: `2024.0.1078-1`
   - web_viewer: `2024.0-18131-1`
 - Upgrade mysql-community-client to version 8.0.39.
+- Upgrade Werkzeug to version 3.1.3.
+- Upgrade Connexion to version 3.1.x.
 
 **BUG FIXES**
 - When mounting an external OpenZFS, it is no longer required to set the outbound rules for ports 111, 2049, 20001, 20002, 20003.

THIRD-PARTY-LICENSES.txt

@@ -209,7 +209,7 @@
 ------
 
 ** clickclick; version 20.10.2 -- https://codeberg.org/hjacobs/python-clickclick
-** connexion; version 2.13.1 -- https://github.com/zalando/connexion
+** connexion; version 3.1.0 -- https://github.com/zalando/connexion
 ** python-dateutil; version 2.8.2 -- https://github.com/dateutil/dateutil
 ** constructs; version 3.4.344 -- https://github.com/aws/constructs
 ** jsii; version 1.85.0 -- https://github.com/aws/jsii
@@ -675,7 +675,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 Copyright 2007 Pallets
 ** Flask; version 2.2.5 -- https://palletsprojects.com/p/flask
 Copyright 2010 Pallets
-** Werkzeug; version 2.3.8 -- https://pypi.org/project/Werkzeug/
+** Werkzeug; version 3.1.3 -- https://pypi.org/project/Werkzeug/
 Copyright 2007 Pallets
 
 Redistribution and use in source and binary forms, with or without

cli/requirements.txt

@@ -16,12 +16,12 @@ aws-cdk.core~=1.164
 aws_cdk.aws-cloudwatch~=1.164
 aws_cdk.aws-lambda~=1.164
 boto3>=1.16.14
-connexion~=2.13.0
+connexion~=3.1
 flask>=2.2.5,<2.3
 jinja2~=3.0
 jmespath~=0.10
 jsii==1.85.0
 marshmallow~=3.10
 PyYAML>=5.3.1,!=5.4
 tabulate>=0.8.8,<=0.8.10
-werkzeug~=2.0
+werkzeug==3.1.3

cli/setup.py

@@ -46,8 +46,8 @@ def readme():
     "aws-cdk.aws-ssm~=" + CDK_VERSION,
     "aws-cdk.aws-sqs~=" + CDK_VERSION,
     "aws-cdk.aws-cloudformation~=" + CDK_VERSION,
-    "werkzeug~=2.0",
-    "connexion~=2.13.0",
+    "werkzeug==3.1.3",
+    "connexion~=3.1",
     "flask>=2.2.5,<2.3",
     "jmespath~=0.10",
     "jsii==1.85.0",

cli/src/pcluster/api/awslambda/serverless_wsgi.py

@@ -20,7 +20,7 @@
 
 from werkzeug.datastructures import Headers, MultiDict, iter_multi_items
 from werkzeug.http import HTTP_STATUS_CODES
-from werkzeug.urls import url_encode, url_unquote, url_unquote_plus
+from urllib.parse import urlencode, unquote, unquote_plus
 from werkzeug.wrappers import Response
 
 # List of MIME types that should not be base64 encoded. MIME types within `text/*`
@@ -95,8 +95,8 @@ def encode_query_string(event):
     if not params:
         params = ""
     if is_alb_event(event):
-        params = MultiDict((url_unquote_plus(k), url_unquote_plus(v)) for k, v in iter_multi_items(params))
-    return url_encode(params)
+        params = MultiDict((unquote_plus(k), unquote_plus(v)) for k, v in iter_multi_items(params))
+    return urlencode(params)
 
 
 def get_script_name(headers, request_context):
@@ -203,7 +203,7 @@ def handle_payload_v1(app, event, context):
     environ = {
         "CONTENT_LENGTH": str(len(body)),
         "CONTENT_TYPE": headers.get("Content-Type", ""),
-        "PATH_INFO": url_unquote(path_info),
+        "PATH_INFO": unquote(path_info),
         "QUERY_STRING": encode_query_string(event),
         "REMOTE_ADDR": event.get("requestContext", {}).get("identity", {}).get("sourceIp", ""),
         "REMOTE_USER": event.get("requestContext", {}).get("authorizer", {}).get("principalId", ""),
@@ -247,7 +247,7 @@ def handle_payload_v2(app, event, context):
     environ = {
         "CONTENT_LENGTH": str(len(body)),
         "CONTENT_TYPE": headers.get("Content-Type", ""),
-        "PATH_INFO": url_unquote(path_info),
+        "PATH_INFO": unquote(path_info),
         "QUERY_STRING": event.get("rawQueryString", ""),
         "REMOTE_ADDR": event.get("requestContext", {}).get("http", {}).get("sourceIp", ""),
         "REMOTE_USER": event.get("requestContext", {}).get("authorizer", {}).get("principalId", ""),
@@ -295,8 +295,8 @@ def handle_lambda_integration(app, event, context):
     environ = {
         "CONTENT_LENGTH": str(len(body)),
         "CONTENT_TYPE": headers.get("Content-Type", ""),
-        "PATH_INFO": url_unquote(path_info),
-        "QUERY_STRING": url_encode(event.get("query", {})),
+        "PATH_INFO": unquote(path_info),
+        "QUERY_STRING": urlencode(event.get("query", {})),
         "REMOTE_ADDR": event.get("identity", {}).get("sourceIp", ""),
         "REMOTE_USER": event.get("principalId", ""),
         "REQUEST_METHOD": event.get("method", ""),