upgrade protobuf to 6.33.5 (fix security problem)

Cause: protobuf affected by a JSON recursion depth bypass:

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.

Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Author: scito

Pipfile

@@ -5,12 +5,12 @@ name = "pypi"
 
 [packages]
 colorama = "0.4.6"
-opencv-contrib-python = "*"
+opencv-contrib-python = "4.13.0.90"
 numpy = "2.4.1"
 # for macOS: opencv-contrib-python = "<=4.7.0"
 pillow = "*"
 pyzbar = "*"
-protobuf = "*"
+protobuf = "6.33.5"
 qrcode = "*"
 qreader = "1.3.2"
 

Pipfile.lock

@@ -14,7 +14,7 @@
 [![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)
 <!-- ![PyPI - Python Version](https://img.shields.io/pypi/pyversions/protobuf)
 [![GitHub Pipenv locked Python version](https://img.shields.io/github/pipenv/locked/python-version/scito/extract_otp_secrets)](https://github.com/scito/extract_otp_secrets/blob/master/Pipfile.lock)
-![protobuf 33.4version](https://img.shields.io/badge/protobuf-6.33.433.1-informational)-->
+![protobuf 33.5version](https://img.shields.io/badge/protobuf-6.33.533.1-informational)-->
 
 <!-- [![Github all releases](https://img.shields.io/github/downloads/scito/extract_otp_secrets/total.svg)](https://GitHub.com/scito/extract_otp_secrets/releases/) -->
 
@@ -385,7 +385,7 @@ python extract_otp_secrets.py = < example_export.png</pre>
 * Provides a debug mode (-d) for analyzing import problems
 * Written in modern Python using type hints and following best practices
 * All these features are backed by tests ran nightly
-* All functionality in one Python script: src/extract_otp_secrets.py (except protobuf 33.4generated code in protobuf_generated_python)
+* All functionality in one Python script: src/extract_otp_secrets.py (except protobuf 33.5generated code in protobuf_generated_python)
 
 ## KeePass
 
@@ -748,11 +748,11 @@ sudo dnf install python3-pip perl envsubst
 The export QR code of "Google Authenticator" contains the URL `otpauth-migration://offline?data=…`.
 The data parameter is a base64 encoded proto3 message (Google Protocol Buffers).
 
-Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition or new protobuf 33.4versions):
+Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition or new protobuf 33.5versions):
 
-    protoc 33.4--plugin=protoc-33.4gen-mypy=path/to/protoc-33.4gen-mypy --python_out=src/protobuf_generated_python --mypy_out=src/protobuf_generated_python src/google_auth.proto
+    protoc 33.5--plugin=protoc-33.5gen-mypy=path/to/protoc-33.5gen-mypy --python_out=src/protobuf_generated_python --mypy_out=src/protobuf_generated_python src/google_auth.proto
 
-The generated protobuf 33.4Python code was generated by protoc 33.433.1 (https://github.com/protocolbuffers/protobuf/releases/tag/v33.433.1).
+The generated protobuf 33.5Python code was generated by protoc 33.533.1 (https://github.com/protocolbuffers/protobuf/releases/tag/v33.533.1).
 
 For Python type hint generation the [mypy-protobuf](https://github.com/nipunn1313/mypy-protobuf) package is used.
 

README.md

@@ -97,6 +97,8 @@ run_uv=true
 run_gui=false
 generate_result_files=false
 PYTHONHASHSEED=31
+verbose=false
+VERBOSE=''
 
 while test $# -gt 0; do
     case $1 in
@@ -110,16 +112,17 @@ while test $# -gt 0; do
             echo "-C                      Ignore version check of protobuf/protoc"
             echo "-e                      Build exe"
             echo "-n                      Build nuitka exe"
-            echo "-L                      Do not run protoc and base build locally incl. exes"
             echo "-d                      Build docker"
             echo "-a                      Build arm"
             echo "-X                      Do not build x86_64"
             echo "-B                      Do not build base"
             echo "-V                      Do not run pipenv"
             echo "-U                      Do not run uv"
+            echo "-L                      Do not run protoc and base build locally incl. exes (implies -B -V -U)"
             echo "-g                      Start extract_otp_secrets.py in GUI mode"
             echo "-c                      Clean everything"
             echo "-r                      Generate result files"
+            echo "-v                      Verbose"
             echo "-h, --help              Show help and quit"
             quit
             ;;
@@ -176,6 +179,11 @@ while test $# -gt 0; do
             generate_result_files=true
             shift
             ;;
+        -v)
+            verbose=true
+            VERBOSE="-v"
+            shift
+            ;;
         -c)
             clean=true
             clean_flag="--clean"
@@ -196,6 +204,7 @@ FLAKE8="$PYTHON -m flake8"
 MYPY="$PYTHON -m mypy"
 DOCKER="${DOCKER:=docker}"
 PYTHON_VERSION=$($PYTHON --version 2>&1 | cut -d " " -f2 | cut -d "." -f1-2)
+UVENV='.uvenv'
 
 if $LINUX; then
     PWD=pwd
@@ -210,6 +219,10 @@ fi
 DEST="protoc"
 
 if $clean; then
+    cmd="deactivate || true"
+    if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+    eval "$cmd"
+    
     cmd="$DOCKER image prune -f || echo 'No docker image pruned'"
     if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
     eval "$cmd"
@@ -256,25 +269,29 @@ if $clean; then
 fi
 
 if $build_local; then
-    cmd="rm -rf .venv || true"
+    cmd="deactivate || true"
+    if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+    eval "$cmd"
+
+    cmd="rm -rf .venv $UVENV || true"
     if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
     eval "$cmd"
 
     cmd="$PIP install -U -r requirements-dev.txt"
     if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
     eval "$cmd"
 
-    echo -e "\n\nChecking Protoc version..."
-    cmd="VERSION=$(curl -sL https://github.com/protocolbuffers/protobuf/releases/latest | grep -E '<title>' | perl -pe's%.*Protocol Buffers v(\d+\.\d+(\.\d+)?).*%\1%')"
-    if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
-    eval "$cmd"
-    echo
+    if ! $ignore_version_check; then
+        echo -e "\n\nChecking Protoc version..."
+        cmd="VERSION=$(curl -sL https://github.com/protocolbuffers/protobuf/releases/latest | grep -E '<title>' | perl -pe's%.*Protocol Buffers v(\d+\.\d+(\.\d+)?).*%\1%')"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+        echo
 
-    OLDVERSION=$(cat $BIN/$DEST/.VERSION.txt || echo "")
-    echo -e "\nProtoc remote version $VERSION\n"
-    echo -e "Protoc local version: $OLDVERSION\n"
+        OLDVERSION=$(cat $BIN/$DEST/.VERSION.txt || echo "")
+        echo -e "\nProtoc remote version $VERSION\n"
+        echo -e "Protoc local version: $OLDVERSION\n"
 
-    if ! $ignore_version_check; then
         if [ "$OLDVERSION" != "$VERSION" ]; then
             echo "Upgrade protoc from $OLDVERSION to $VERSION"
 
@@ -478,7 +495,7 @@ if $build_local; then
     # uv
 
     if $run_uv; then
-        cmd="rm -rf .venv || true"
+        cmd="rm -rf $UVENV || true"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
@@ -488,50 +505,73 @@ if $build_local; then
 
         $UV --version
 
-        # cmd="$UV venv --clear"
-        cmd="$UV venv --python $PYTHON_VERSION --clear"
+        cmd="rm uv.lock || echo 'No uv.lock to remove'"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+
+        cmd="$UV venv $UVENV $VERBOSE --python $PYTHON_VERSION --clear"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        $UV run python --version
+        cmd="source $UVENV/bin/activate"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+        
+        cmd="$UV pip install $VERBOSE -U -r requirements.txt --exclude excludes.txt"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
 
-        # cmd="$UV pip install -U -r requirements.txt"
-        # if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
-        # eval "$cmd"
+        cmd="$UV pip install $VERBOSE -U -r requirements-dev.txt"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
 
-        cmd="$UV pip install -U -r requirements-dev.txt"
+        cmd="$UV pip install $VERBOSE -U -e . --exclude excludes.txt"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        # pip -e install
+        cmd="$UV lock --refresh $VERBOSE"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
 
-        cmd="$UV run pip install -U -e ."
+        cmd="$UV sync --active $VERBOSE"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        cmd="$UV run pytest tests/"
+        cmd="$UV pip uninstall $VERBOSE opencv-python"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        cmd="$UV run extract_otp_secrets example_export.txt"
+        cmd="$UV run --active python --version"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        cmd="$UV run extract_otp_secrets - < example_export.txt"
+        cmd="$UV run  $VERBOSE --active pytest tests/"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+
+        cmd="$UV run  $VERBOSE --active extract_otp_secrets example_export.txt"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+
+        cmd="$UV run $VERBOSE --active extract_otp_secrets - < example_export.txt"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
         # Test (needs module)
 
-        cmd="$UV run python src/extract_otp_secrets.py example_export.txt"
+        cmd="$UV run --active python src/extract_otp_secrets.py example_export.txt"
+        if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
+        eval "$cmd"
+
+        cmd="$UV run --active python src/extract_otp_secrets.py example_export.txt"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        cmd="$UV run python src/extract_otp_secrets.py example_export.txt"
+        cmd="$UV run --active python src/extract_otp_secrets.py - < example_export.txt"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
 
-        cmd="$UV run python src/extract_otp_secrets.py - < example_export.txt"
+        cmd="deactivate"
         if $interactive ; then askContinueYn "$cmd"; else echo -e "${cyan}$cmd${reset}";fi
         eval "$cmd"
     fi

build.sh

@@ -0,0 +1 @@
+opencv-python

excludes.txt

@@ -40,12 +40,12 @@ classifiers = [
 ]
 dependencies = [
   "colorama>=0.4.6",
-  "opencv-contrib-python",
+  "opencv-contrib-python>=4.13.0",
   "numpy>=2.0,<2.1 ; python_version >= '3.9' and python_version < '3.10'",
   "numpy>=2.2,<2.3 ; python_version >= '3.10' and python_version < '3.11'",
-  "numpy>=2.4,<3.0 ; python_version >= '3.11'",
+  "numpy>=2.4.1,<3.0 ; python_version >= '3.11'",
   "Pillow",
-  "protobuf",
+  "protobuf>=6.33.5",
   "pyzbar",
   "qrcode",
   "qreader<2.0.0",
@@ -73,5 +73,7 @@ enabled = true
 
 # https://blog.ionelmc.ro/2014/05/25/python-packaging/#the-structure%3E
 # https://docs.pytest.org/en/7.1.x/explanation/goodpractices.html#which-import-mode
+
 [tool.pytest.ini_options]
 addopts = [ "--import-mode=importlib", ]
+testpaths = [ "tests", ]

pyproject.toml

@@ -1,10 +1,10 @@
 colorama>=0.4.6
-opencv-contrib-python>=4.11.0
+opencv-contrib-python>=4.13.0
 numpy>=2.0,<2.1 ; python_version >= "3.9" and python_version < "3.10"
 numpy>=2.2,<2.3 ; python_version >= "3.10" and python_version < "3.11"
-numpy>=2.4,<3.0 ; python_version >= "3.11"
+numpy>=2.4.1,<3.0 ; python_version >= "3.11"
 Pillow
-protobuf
+protobuf>=6.33.5
 pyzbar
 qrcode
 qreader<2.0.0