Merge pull request #20 from mnbf9rca/patch/bump-cryptography

nsnguyen · web-flow · commit 3757ec2101e8 · 2023-11-12T22:19:13.000-08:00
bump cryptography above 41.0.3
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file. See [standa
 
 ## [Unreleased](https://github.com/dotenv-org/python-dotenv-vault/compare/v0.5.1...master)
 
+## 0.6.4
+
+### Changed
+
+- Bump Cryptography above 41.0.3 to resolve [#19](https://github.com/dotenv-org/python-dotenv-vault/issues/19) (High severity [CVE-2023-38325](https://nvd.nist.gov/vuln/detail/CVE-2023-38325))
+
 ## 0.6.3
 
 ### Changed
diff --git a/requirements.txt b/requirements.txt
@@ -1,2 +1,2 @@
 python-dotenv~=0.21.0
-cryptography<41.0.0,>=3.1.0
+cryptography<42.0.0,>41.0.3
diff --git a/setup.py b/setup.py
@@ -40,6 +40,6 @@ def read_files(files):
     ],
     install_requires=[
         'python-dotenv~=0.21.0',
-        'cryptography<41.0.0,>=3.1.0'
+        'cryptography<42.0.0,>41.0.3'
     ],
 )
diff --git a/src/dotenv_vault/__version__.py b/src/dotenv_vault/__version__.py
@@ -1,7 +1,7 @@
 __title__ = "python-dotenv-vault"
 __description__ = "Decrypt .env.vault file."
 __url__ = "https://github.com/dotenv-org/python-dotenv-vault"
-__version__ = "0.6.3"
+__version__ = "0.6.4"
 __author__ = "dotenv"
 __author_email__ = "mot@dotenv.org"
 __license__ = "MIT"
diff --git a/src/dotenv_vault/test_vault.py b/src/dotenv_vault/test_vault.py
@@ -79,3 +79,82 @@ def test_load_dotenv_vault_not_there(self, find_dotenv):
             mocked_listdir.return_value = ['.env', 'some_file']
             path = vault.load_dotenv_vault()
             self.assertEqual(path, '/some/path/.env')
+
+
+class TestLoadDotenv:
+
+    @mock.patch.dict(os.environ, {"DOTENV_KEY": "secret_key"}, clear=True)
+    @mock.patch("builtins.open", new_callable=mock.mock_open, read_data="KEY=VALUE")
+    @mock.patch("dotenv_vault.main.parse_vault")
+    @mock.patch("dotenv_vault.main.load_dotenv_vault")
+    @mock.patch("dotenv_vault.main.dotenv.load_dotenv")
+    def test_load_encrypted_env(
+        self, mock_load_dotenv,
+        mock_load_dotenv_vault,
+        mock_parse_vault,
+        mock_open
+    ):
+            mock_parse_vault.return_value = "stream_with_decrypted_data"
+            mock_load_dotenv_vault.return_value = "this_is_the_valut"
+            mock_load_dotenv.return_value = True
+
+            assert vault.load_dotenv() == True
+            mock_load_dotenv_vault.assert_called_once()
+            mock_parse_vault.assert_called_once()
+            mock_open.assert_called_once_with(mock_load_dotenv_vault.return_value)
+            mock_load_dotenv.assert_called_once_with(
+                stream=mock_parse_vault.return_value, 
+                verbose=False, 
+                override=True, 
+                interpolate=True, 
+                encoding="utf-8"
+            )
+
+    @mock.patch.dict(os.environ, {"NOT_DOTENV_KEY": "shouldnt_be_detected"}, clear=True)
+    @mock.patch("builtins.open", new_callable=mock.mock_open, read_data="KEY=VALUE")
+    @mock.patch("dotenv_vault.main.dotenv.find_dotenv")
+    @mock.patch("dotenv_vault.main.dotenv.load_dotenv")
+    @mock.patch.dict(os.environ, {}, clear=True)
+    def test_load_unencrypted_env(self, 
+            mock_load_dotenv,
+            mock_find_dotenv,
+            mock_open
+        ):
+        mock_find_dotenv.return_value = "path_to_dotenv_file"
+        mock_load_dotenv.return_value = True
+
+        assert vault.load_dotenv() == True
+        mock_open.assert_called_once_with(mock_find_dotenv.return_value)
+        mock_find_dotenv.assert_called_once_with(usecwd=True)
+        mock_load_dotenv.assert_called_once_with(
+                stream=mock_open.return_value, 
+                verbose=False, 
+                override=True, 
+                interpolate=True, 
+                encoding="utf-8"
+        )
+
+    @mock.patch.dict(os.environ, {"NOT_DOTENV_KEY": "shouldnt_be_detected"}, clear=True)
+    @mock.patch("builtins.open", new_callable=mock.mock_open, read_data="KEY=VALUE")
+    @mock.patch("dotenv_vault.main.dotenv.find_dotenv")
+    @mock.patch("dotenv_vault.main.dotenv.load_dotenv")
+    @mock.patch.dict(os.environ, {}, clear=True)
+    def test_load_with_stream_provided(self, 
+            mock_load_dotenv,
+            mock_find_dotenv,
+            mock_open
+        ):
+        mock_find_dotenv.return_value = "path_to_dotenv_file"
+        mock_load_dotenv.return_value = True
+        test_stream_value = "test_stream_value"
+
+        assert vault.load_dotenv(stream=test_stream_value) == True
+        mock_open.assert_not_called()
+        mock_find_dotenv.assert_called_once_with(usecwd=True)
+        mock_load_dotenv.assert_called_once_with(
+                stream=test_stream_value, 
+                verbose=False, 
+                override=True, 
+                interpolate=True, 
+                encoding="utf-8"
+        )

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`python-dotenv~=0.21.0`
`2`		`-cryptography<41.0.0,>=3.1.0`
	`2`	`+cryptography<42.0.0,>41.0.3`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,6 @@ def read_files(files):`
`40`	`40`	`],`
`41`	`41`	`install_requires=[`
`42`	`42`	`'python-dotenv~=0.21.0',`
`43`		`- 'cryptography<41.0.0,>=3.1.0'`
	`43`	`+ 'cryptography<42.0.0,>41.0.3'`
`44`	`44`	`],`
`45`	`45`	`)`