Merge pull request #59 from QWED-AI/fix/docker-security

rahuldass19 · web-flow · commit 4f5f5ebe652f · 2026-02-12T14:32:23.000+05:30
fix(deps): upgrade httpx/httpcore/h11 to resolve request smuggling vulnerability
diff --git a/Dockerfile b/Dockerfile
@@ -25,6 +25,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends gosu dos2unix &
 # Copy requirements file first to leverage cache
 COPY requirements.txt /app/requirements.txt
 
+# Vulnerability Fix: Upgrade pip and wheel to patch base image CVEs
+# CVE-2026-24049 (Critical): wheel<=0.46.1 -> 0.46.2
+# CVE-2025-8869 (Medium):   pip==24.0 -> latest
+RUN pip install --no-cache-dir --upgrade "pip>=25.0" "wheel>=0.46.2"
+
 # Install dependencies with hash verification
 # Vulnerability Fix: Pin versions with hashes to prevent supply chain attacks
 RUN pip install --no-cache-dir --require-hashes -r /app/requirements.txt
diff --git a/requirements.in b/requirements.in
@@ -0,0 +1,5 @@
+sympy==1.12
+httpx>=0.28.1
+httpcore>=1.0.9
+h11>=0.16.0
+colorama==0.4.6
diff --git a/requirements.txt b/requirements.txt
@@ -7,7 +7,7 @@
 anyio==4.12.1 \
     --hash=sha256:41cfcc3a4c85d3f05c932da7c26d0201ac36f72abd4435ba90d0464a3ffed703 \
     --hash=sha256:d405828884fc140aa80a3c667b8beed277f1dfedec42ba031bd6ac3db606ab6c
-    # via httpcore
+    # via httpx
 certifi==2026.1.4 \
     --hash=sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c \
     --hash=sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120
@@ -18,18 +18,21 @@ colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
     # via -r requirements.in
-h11==0.14.0 \
-    --hash=sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d \
-    --hash=sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761
-    # via httpcore
-httpcore==0.17.3 \
-    --hash=sha256:a6f30213335e34c1ade7be6ec7c47f19f50c56db36abef1a9dfa3815b1cb3888 \
-    --hash=sha256:c2789b767ddddfa2a5782e3199b2b7f6894540b17b16ec26b2c4d8e103510b87
-    # via httpx
-httpx==0.24.0 \
-    --hash=sha256:447556b50c1921c351ea54b4fe79d91b724ed2b027462ab9a329465d147d5a4e \
-    --hash=sha256:5b8cc50c22634351515ce762ce0d965705a611c0c6819a31818221c976993a43 \
-    --hash=sha256:9ac5ae24268e6f304403328ce7885b59f77f989917849618b76df4721387d85c
+h11==0.16.0 \
+    --hash=sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1 \
+    --hash=sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86
+    # via
+    #   -r requirements.in
+    #   httpcore
+httpcore==1.0.9 \
+    --hash=sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55 \
+    --hash=sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8
+    # via
+    #   -r requirements.in
+    #   httpx
+httpx==0.28.1 \
+    --hash=sha256:75e98c5f16b0f35b567856f597f06ff2270a374470a5c2392242528e3e3e42fc \
+    --hash=sha256:d909fcccc110f8c7faf814ca82a9a4d816bc5a6dbfea25d6591d6985b8ba59ad
     # via -r requirements.in
 idna==3.11 \
     --hash=sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea \
@@ -41,12 +44,6 @@ mpmath==1.3.0 \
     --hash=sha256:7a28eb2a9774d00c7bc92411c19a89209d5da7c4c9a9e227be8330a23a25b91f \
     --hash=sha256:a0b2b9fe80bbcd81a6647ff13108738cfb482d481d826cc0e02f5b35e5c88d2c
     # via sympy
-sniffio==1.3.1 \
-    --hash=sha256:2f6da418d1f1e0fddd844478f41680e794e6051915791a034ff65e5f100525a2 \
-    --hash=sha256:f4324edc670a0f49750a81b895f35c3adb843cca46f0530f79fc1babb23789dc
-    # via
-    #   httpcore
-    #   httpx
 sympy==1.12 \
     --hash=sha256:3e2e0e09210c4d8f8d660e574c88f728c050228497d51921356a9829352e8253 \
     --hash=sha256:c3588cd4295d0c0f603d0f2ae780587e64e2efeedb3521e46b9bb1d08d184fa5 \
