Skip to content

Fix/sumo 281751 vulnerability fix #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
piyushgupta-sumo wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Fix/sumo 281751 vulnerability fix #99

Show file tree
Hide file tree
Changes from 14 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
26d6cb7
SUMO-281751: python version updated to 3.14
Apr 29, 2026
a8ad271
SUMO-281751: fix for Certifi removes GLOBALTRUST root certificate
Apr 29, 2026
9d9ac0d
SUMO-281751: fix for setuptools vulnerable to Command Injection via p…
Apr 29, 2026
f5273c5
SUMO-281751: fix for urllib3 allows an unbounded number of links in t…
Apr 29, 2026
44829ab
SUMO-281751: fix for Decompression-bomb safeguards bypassed when foll…
Apr 29, 2026
f605236
SUMO-281751: fix for Black: Arbitrary file writes from unsanitized us…
Apr 29, 2026
ee07aeb
SUMO-281751: fix for virtualenv allows command injection through acti…
Apr 29, 2026
750eef3
SUMO-281751: fix for setuptools has a path traversal vulnerability in…
Apr 29, 2026
91c7659
SUMO-281751: fix for zipp Denial of Service vulnerability
Apr 29, 2026
23ec77b
SUMO-281751: fix for filelock has a TOCTOU race condition which allow…
Apr 30, 2026
3937cd2
SUMO-281751: fix for filelock has a TOCTOU race condition which allow…
Apr 30, 2026
eb3970a
SUMO-281751: bump virtualenv to >=21.3.0, add pygments, regenerate lock
Apr 30, 2026
8a288fd
SUMO-281751: change log updated for vulnerabilities
Apr 30, 2026
2e47cf4
SUMO-281751: change log updated for vulnerabilities
Apr 30, 2026
3881843
SUMO-281751: resolved copilot commits
Apr 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Set up Python 3.12
- name: Set up Python 3.14
uses: actions/setup-python@v5
with:
python-version: 3.12
python-version: "3.14"

- name: Install pipenv
run: pip install pipenv
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/runtest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,10 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Set up Python 3.12
- name: Set up Python 3.14
uses: actions/setup-python@v5
with:
python-version: 3.12
python-version: "3.14"

- name: Install pipenv and mypy
run: pip install pipenv mypy
Expand Down
5 changes: 3 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,11 @@ repos:
entry: bandit
language: python
types: [python]
- repo: https://github.com/ambv/black
rev: 19.3b0
- repo: https://github.com/psf/black
rev: 26.3.1
hooks:
- id: black
args: [--no-cache]
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v2.2.1
hooks:
Expand Down
15 changes: 15 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,21 @@
# CHANGELOG for sumologic-python-sdk
This project adheres to [Semantic Versioning](http://semver.org/). The CHANGELOG follows the format listed at [Keep A Changelog](http://keepachangelog.com/)

## [Unreleased]
### Security
- Upgraded `certifi` to `>=2026.4.22` to remove the revoked GLOBALTRUST root certificate
- Upgraded `setuptools` to `>=78.1.1` to fix Command Injection via package URL (CVE-2024-6345) and path traversal in `PackageIndex.download` leading to Arbitrary File Write
- Upgraded `urllib3` to `>=2.6.3` to fix unbounded decompression chain vulnerability
- Upgraded `requests` to `>=2.33.1` to fix decompression-bomb safeguards being bypassed when following HTTP redirects
- Upgraded `virtualenv` to `>=21.3.0` to fix command injection through activation scripts
- Upgraded `filelock` to `>=3.29.0` to fix TOCTOU race condition allowing symlink attacks during lock file creation
- Upgraded `zipp` to `>=3.19.1` to fix Denial of Service vulnerability
- Upgraded `pygments` to `>=2.20.0` to fix ReDoS vulnerability
- Updated `black` in pre-commit hooks to fix arbitrary file writes from unsanitized user input in cache file name

### Changed
- Added Python 3.14 support
Copy link

Copilot AI Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the dependency upgrades in this PR effectively drop support for older Python versions (e.g., 3.8/3.9) or require Python 3.14 for development/CI, this should be called out as a breaking change in the changelog (not just as "Added Python 3.14 support"). Otherwise, consider adjusting the dependency/version changes so they remain compatible with the previously supported Python range.

Suggested change
### Changed
- Added Python 3.14 support
### Breaking Changes
- Dependency upgrades in this release add Python 3.14 support but may drop support for older Python versions that were previously supported. Treat the Python version support change as a breaking change when upgrading.

Copilot uses AI. Check for mistakes.

## [0.1.16]
### Fixed
- Fixed Retry logic and bug related to headers to make it compatible with newer python versions
Expand Down
16 changes: 14 additions & 2 deletions Pipfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,34 @@ url = "https://pypi.org/simple"
verify_ssl = true

[dev-packages]
virtualenv = ">=21.3.0"
setuptools = ">=78.1.1"
filelock = ">=3.29.0"
zipp = ">=3.19.1"
bandit = "*" # https://github.com/PyCQA/bandit
better_exceptions = "*"
black = "*"
pipenv = {path = ".", editable = true, extras = ["test"]}
flake8 = "*"
pre-commit = "*" # https://ljvmiranda921.github.io/notebook/2018/06/21/precommits-using-black-and-flake8/
pytest = "*"
pytest = ">=9.0.3"
requests = "*"
twine = "*"
build = "*"

[packages]
virtualenv = ">=21.3.0"
setuptools = ">=78.1.1"
filelock = ">=3.29.0"
requests = "*"
pyupgrade = "*"
bandit = "*"
flake8 = "*"
certifi = "*"
pygments = ">=2.20.0"
Copy link

Copilot AI Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pipfile [packages] now includes primarily development tooling (e.g., bandit, flake8, pyupgrade) and duplicates items already in [dev-packages]. This causes pipenv install (without --dev) to pull in dev-only dependencies and also drives Pipfile.lock "default" to include them; keep these in [dev-packages] only unless the library actually needs them at runtime.

Copilot uses AI. Check for mistakes.

[requires]
python_version = "3.12"
python_version = "3.14"

[pipenv]
allow_prereleases = true
1,332 changes: 866 additions & 466 deletions Pipfile.lock
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ classifiers = [
"Programming Language :: Python :: 3.10",
"Programming Language :: Python :: 3.11",
"Programming Language :: Python :: 3.12",
"Programming Language :: Python :: 3.13",
"Programming Language :: Python :: 3.14",
Comment thread
piyushgupta-sumo marked this conversation as resolved.
"Operating System :: OS Independent",
]
authors = [
Expand All @@ -29,5 +31,5 @@ Issues = "https://github.com/SumoLogic/sumologic-python-sdk/issues"
Changelog = "https://github.com/SumoLogic/sumologic-python-sdk/blob/master/CHANGELOG.md"

[build-system]
requires = ["setuptools>=61.0"]
requires = ["setuptools>=78.1.1"]
build-backend = "setuptools.build_meta"
8 changes: 7 additions & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,7 @@
requests>=2.32.0
requests>=2.33.1
certifi>=2026.4.22
urllib3>=2.6.3
pytest>=9.0.3
filelock>=3.29.0
virtualenv>=21.3.0
pygments>=2.20.0
22 changes: 12 additions & 10 deletions sumologic/sumologic.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
import json
from builtins import *
Copy link

Copilot AI Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

from builtins import * is a wildcard import that needlessly pollutes the module namespace and can make it harder to reason about what identifiers are local vs built-in. Since this SDK targets Python 3 (per project metadata), this import should be removed (or replaced with an explicit import if a specific symbol is needed).

Suggested change
from builtins import *

Copilot uses AI. Check for mistakes.

import requests
import os
import sys
Expand Down Expand Up @@ -274,7 +276,7 @@ def sync_folder(self, folder_id, content):
return self.post('/content/folders/%s/synchronize' % folder_id, params=content, version='v2')

def check_sync_folder(self, folder_id, job_id):
return self.get('/content/folders/%s/synchronize/%s/status' % (folder_id, job_id), version='v2')
return self.get('/content/folders/{}/synchronize/{}/status'.format(folder_id, job_id), version='v2')
Comment thread
piyushgupta-sumo marked this conversation as resolved.

def delete_folder(self, folder_id, isAdmin=False):
headers = {'isAdminMode': 'true'} if isAdmin else {}
Expand Down Expand Up @@ -319,11 +321,11 @@ def get_global_folder(self):

def import_content(self, folder_id, content, is_overwrite="false", isAdmin=False):
headers = {'isAdminMode': 'true'} if isAdmin else {}
return self.post('/content/folders/%s/import?overwrite=%s' % (folder_id, is_overwrite), headers=headers, params=content,
return self.post('/content/folders/{}/import?overwrite={}'.format(folder_id, is_overwrite), headers=headers, params=content,
version='v2')

def check_import_status(self, folder_id, job_id):
return self.get('/content/folders/%s/import/%s/status' % (folder_id, job_id), version='v2')
return self.get('/content/folders/{}/import/{}/status'.format(folder_id, job_id), version='v2')

def get_folder(self, folder_id, isAdmin=False):
headers = {'isAdminMode': 'true'} if isAdmin else {}
Expand All @@ -335,22 +337,22 @@ def update_folder(self, folder_id, isAdmin=False):

def copy_folder(self, folder_id, destination_folder_id, isAdmin=False):
headers = {'isAdminMode': 'true'} if isAdmin else {}
return self.post('/content/%s/copy?destinationFolder=%s' % (folder_id, destination_folder_id), headers=headers, params={}, version='v2')
return self.post('/content/{}/copy?destinationFolder={}'.format(folder_id, destination_folder_id), headers=headers, params={}, version='v2')

def export_content(self, content_id):
return self.post('/content/%s/export' % content_id, params="", version='v2')

def check_export_status(self, content_id, job_id):
return self.get('/content/%s/export/%s/status' % (content_id, job_id), version='v2')
return self.get('/content/{}/export/{}/status'.format(content_id, job_id), version='v2')

def get_export_content_result(self, content_id, job_id):
return self.get('/content/%s/export/%s/result' % (content_id, job_id), version='v2')
return self.get('/content/{}/export/{}/result'.format(content_id, job_id), version='v2')

def delete_content(self, content_id):
return self.delete('/content/%s/delete' % content_id, version='v2')

def check_delete_status(self, content_id, job_id):
return self.get('/content/%s/delete/%s/status' % (content_id, job_id), version='v2')
return self.get('/content/{}/delete/{}/status'.format(content_id, job_id), version='v2')

def get_content(self, path):
return self.get('/content/path?path=%s' % path, version='v2')
Expand All @@ -359,14 +361,14 @@ def get_content_path(self, content_id):
return self.get('/content/%s/path' % content_id, version='v2')

def copy_content(self, content_id, destination_folder):
return self.post('/content/%s/copy?destinationFolder=%s' % (content_id, destination_folder), params=None,
return self.post('/content/{}/copy?destinationFolder={}'.format(content_id, destination_folder), params=None,
version='v2')

def check_copy_status(self, content_id, job_id):
return self.get('/content/%s/copy/%s/status' % (content_id, job_id), version='v2')
return self.get('/content/{}/copy/{}/status'.format(content_id, job_id), version='v2')

def move_content(self, content_id, destination_folder):
return self.post('/content/%s/move?destinationFolderId=%s' % (content_id, destination_folder), params=None,
return self.post('/content/{}/move?destinationFolderId={}'.format(content_id, destination_folder), params=None,
version='v2')

def get_content_item_by_path(self, path):
Expand Down
Loading