Fix CVE-2023-45803 and CVE-2024-37891 by updating urllib3 constraint

[devin-ai-integration]

Fix CVE-2023-45803 and CVE-2024-37891 by updating urllib3 constraint

Summary

Updated the urllib3 dependency in integration test requirements from a pinned version ==2.0.6 to a minimum safe version constraint >=2.2.2,<3.0.0 to address two security vulnerabilities:

• CVE-2023-45803: Request body not stripped after redirect from 303 status (fixed in urllib3 2.0.7 and 1.26.18)
• CVE-2024-37891: Proxy-Authorization header not stripped during cross-origin redirects (fixed in urllib3 2.2.2 and 1.26.19)

The previous pinned version 2.0.6 was vulnerable to both CVEs. The new constraint ensures both vulnerabilities are fixed while preventing breaking changes from future urllib3 3.x releases.

Context: urllib3 was originally pinned to 2.0.6 in PR #760 to fix CVE-2023-43804. urllib3 is not directly imported in the codebase - it's a transitive dependency of pytest-html and other testing tools.

Review & Testing Checklist for Human

• Verify CI passes across all warehouse platforms - The most critical check. This change affects integration tests that run against 10+ different warehouse adapters (Snowflake, BigQuery, Redshift, Databricks, Athena, Trino, ClickHouse, Dremio, Spark, Postgres). Some adapters may have transitive dependencies with urllib3 constraints that could conflict with >=2.2.2.
• Check for any test failures or behavioral changes - While dependency resolution was tested locally with Python 3.9, actual integration test execution was not verified. Watch for any subtle behavioral differences between urllib3 2.0.6 and 2.2.2+.
• Verify vulnerability scanners are satisfied - Confirm that security scanning tools accept the new constraint and no longer flag CVE-2023-45803 or CVE-2024-37891.
• Consider if upper bound is appropriate - The <3.0.0 upper bound prevents future major version breaking changes, but you may want to be more conservative (e.g., <2.6.0) if there are concerns about urllib3 2.x stability.

Test Plan

1. Wait for CI to complete across all warehouse platform matrix jobs
2. If any jobs fail with dependency resolution errors, consider using the fallback constraint urllib3>=1.26.19,<2.0.0 which also fixes both CVEs but stays on the 1.x line
3. Run a smoke test of integration tests locally against Postgres if possible

Notes

• Local testing confirmed no dependency conflicts with Python 3.9 and basic pytest packages
• urllib3 2.5.0 (current latest in the 2.x line) was successfully resolved during local testing
• The change only affects integration test requirements, not runtime dependencies
• Related to PR Fix CVE-2023-45803 and CVE-2024-37891 #773 which attempted to fix this by unpinning urllib3 entirely (not recommended as it's non-deterministic)

---

Link to Devin run: https://app.devin.ai/sessions/bbcb9972001f462bb6af97635458cad3
Requested by: Yosef Arbiv (@arbiv)

Summary by CodeRabbit

• Bug Fixes
  • Updated urllib3 dependency to patch security vulnerabilities with an upper bound to maintain stability.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[github-actions]

👋 @devin-ai-integration[bot]
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.

[coderabbitai]

Walkthrough

The pull request updates the urllib3 dependency in integration tests from a fixed version 2.0.6 to a version range >=2.2.2,<3.0.0 with explanatory comments documenting CVE fixes and upper-bound rationale.

Changes

Cohort / File(s)	Summary
Integration Test Dependencies integration_tests/requirements.txt	Updated urllib3 from pinned version 2.0.6 to range >=2.2.2,<3.0.0 with comments explaining CVE security fixes and upper-bound constraint to prevent major version breakage

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify that CVE fixes referenced in comments are legitimate and address known vulnerabilities
• Confirm version range >=2.2.2,<3.0.0 is appropriate for integration test stability
• Check if any integration tests rely on specific urllib3 behavior that might differ across the new range

Poem

🐰 A safer urllib3 hops into place,
CVE shadows erased without a trace,
Pinned no more, but gently ranged free,
Security and flexibility in harmony! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: updating urllib3 to fix two specific CVEs (CVE-2023-45803 and CVE-2024-37891).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch devin/1762852140-fix-urllib3-cve-vulnerabilities

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between db1ea97 and 1c9183d.

📒 Files selected for processing (1)

• integration_tests/requirements.txt (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: test (latest_official, clickhouse) / test
• GitHub Check: test (latest_official, postgres) / test
• GitHub Check: test (latest_official, databricks_catalog) / test
• GitHub Check: test (latest_official, trino) / test
• GitHub Check: test (fusion, snowflake) / test
• GitHub Check: test (latest_official, redshift) / test
• GitHub Check: test (latest_pre, postgres) / test
• GitHub Check: test (latest_official, snowflake) / test
• GitHub Check: test (latest_official, dremio) / test
• GitHub Check: test (fusion, databricks_catalog) / test
• GitHub Check: test (latest_official, athena) / test
• GitHub Check: test (fusion, redshift) / test
• GitHub Check: test (fusion, bigquery) / test
• GitHub Check: test (latest_official, bigquery) / test

🔇 Additional comments (1)

integration_tests/requirements.txt (1)

6-8: ✓ CVE fixes are properly addressed and constraint is valid.

The constraint urllib3>=2.2.2,<3.0.0 correctly addresses both CVE-2023-45803 (fixed in 2.0.7) and CVE-2024-37891 (fixed in 2.2.2). The explanatory comments are clear, and the upper bound appropriately prevents major version breaking changes.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• CVE-2023: Entity not found: Issue - Could not find referenced Issue.
• CVE-2024: Entity not found: Issue - Could not find referenced Issue.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}