[CVE-2018-18074] Upgrade requests to 2.20.0 (#204)

mweiden · web-flow · commit b995a725e6fc · 2018-11-13T10:22:33.000-08:00
* Upgrade requests to 2.20.0 CVE-2018-18074 More information moderate severity Vulnerable versions: <= 2.19.1 Patched version: 2.20.0 The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. * Bump hca version to 4.4.9 * Pin version of flake8 * Pin moto version to 1.3.3 * Make stub param optional For some versions of python a stub is passed into the test. In others, it is not passed in. Since the parameter is not used, this commit makes it optional. * Revisions from Marcus' feedback
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,5 +1,5 @@
-flake8
-moto
+flake8==3.5.0
+moto==1.3.3
 coverage
 pyyaml
 responses
diff --git a/requirements.txt b/requirements.txt
@@ -6,7 +6,7 @@ google-auth-oauthlib >= 0.1, < 2
 Jinja2 >= 2.9, < 3
 jsonpointer >= 1.10, < 2
 jsonschema >= 2.6, < 3
-requests >= 2.17, < 3
+requests >= 2.20.0, < 3
 six >= 1.10, < 2
 tweak >= 0.6.7, < 1
 dcplib >= 1.3.2, < 2
diff --git a/setup.py b/setup.py
@@ -7,7 +7,7 @@
 
 setup(
     name="hca",
-    version="4.4.8",
+    version="4.4.9",
     url='https://github.com/HumanCellAtlas/dcp-cli',
     license='Apache Software License',
     author='Human Cell Atlas contributors',
diff --git a/test/integration/upload/cli/test_upload.py b/test/integration/upload/cli/test_upload.py
@@ -59,11 +59,11 @@ def test_upload_with_dcp_type_option(self):
             self.assertEqual(obj.get()['Body'].read(), expected_contents)
 
     @responses.activate
-    @patch('hca.upload.s3_agent.S3Agent.upload_file')   # Don't actually try to upload
-    def test_no_transfer_acceleration_option_sets_up_botocore_config_correctly(self, upload_file_stub):
+    def test_no_transfer_acceleration_option_sets_up_botocore_config_correctly(self):
         import botocore
 
-        with patch('hca.upload.s3_agent.Config', new=Mock(wraps=botocore.config.Config)) as mock_config:
+        with patch('hca.upload.s3_agent.S3Agent.upload_file'), \
+            patch('hca.upload.s3_agent.Config', new=Mock(wraps=botocore.config.Config)) as mock_config:
 
             args = Namespace(upload_paths=['LICENSE'], target_filename=None, quiet=True, file_extension=None)
             args.no_transfer_acceleration = False
