Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Address vulnerabilities: upgrade cryptography from 42.0.2 to 42.0.4 and specify JWT algorithms to decode. #342

Merged
merged 2 commits into from
Jul 22, 2024
Merged

[Security] Address vulnerabilities: upgrade cryptography from 42.0.2 to 42.0.4 and specify JWT algorithms to decode. #342

merged 2 commits into from
Jul 22, 2024

Conversation

gmarciani
Copy link
Collaborator

Changes

  1. Upgrade cryptography from 42.0.2 to 42.0.4 to address vulnerability https://github.com/aws/aws-parallelcluster-ui/security/dependabot/30
  2. Specify JWT algorithms to decode tokens to address vulnerability https://github.com/aws/aws-parallelcluster-ui/security/dependabot/33. We specify the accepted algorithms to be [RS256] as suggested by Amazon Cognito.

How Has This Been Tested?

  1. Deployed in personal environment
  2. Verified that login/logout works
  3. Verified that PCUI is able to list clusters in a region

PR Quality Checklist

  • I added tests to new or existing code
  • I removed hardcoded strings and used react-i18next library (useTranslation hook and/or Trans component), see an example here
  • I made sure no sensitive info gets logged at any time in the codebase (see here) (e.g. no user info or details, no stacktraces, etc.)
  • I made sure that any GitHub issue solved by this PR is correctly linked
  • I checked that infrastructure/update_infrastructure.sh runs without any error
  • I checked that npm run build builds without any error
  • I checked that clusters are listed correctly
  • I checked that a new cluster can be created (config is produced and dry run passes)
  • I checked that login and logout work as expected

In order to increase the likelihood of your contribution being accepted, please make sure you have read both the Contributing Guidelines and the Project Guidelines

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@gmarciani gmarciani added dependencies Pull requests that update a dependency file release:improvement Security labels Jul 22, 2024
@gmarciani gmarciani merged commit 67599f8 into aws:main Jul 22, 2024
2 checks passed
@gmarciani gmarciani deleted the wip/mgiacomo/2024080/fix-crypto-vulns-0722-1 branch July 22, 2024 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hanwen-pcluste hanwen-pcluste hanwen-pcluste approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file release:improvement Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gmarciani @hanwen-pcluste