Closed
Description
Reportlab has an open CVE. It's a case where an intentional feature could be used to basically put a "web bug" into a pdf -- we avoid this with validation since embedding external resources isn't really a thing cve-bin-tool users are likely to want to do. (And I'm always open to suggestions on improving said validation!)
But since PDF reports are probably not a go-to feature for all users, I'd like to make it easier for people to install reportlab only if they actually want them, especially since not everyone has time to read through the CVE and consider the impacts. Right now, our requirements.txt lists it so it's installed by default.
Things I think we'd need to do to make this work:
- Put checks around where the reportlab import statements are, and print a useful warning before they fail
- e.g. "if you want to use pdf import you will need to install reportlab using
pip install reportlab
- e.g. "if you want to use pdf import you will need to install reportlab using
- Put checks into the test suite so pdf tests fail gracefully if reportlab is not installed
- e.g. We want them to fail with a message like "reportlab not installed, test cannot be run" instead of a stack trace
- Update documentation to explain how to enable pdf export / mention the known CVE and explain the concerns.
- Remove reportlab from requirements.txt
- Add tests of the reportlab-not-installed functionality
- Now is also a great time to revisit our existing validation and make sure the recommended settings are enabled everywhere that we use reportlab.