Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS).

Overview

GitHub release Github all releases HitCount Total alerts Language grade: Python MIT license

corsair_scan

Welcome to Corsair_scan

Corsair_scan is a security tool to test Cross-Origin Resource Sharing (CORS) misconfigurations. CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. If this is not properly configured, unauthorised domains can access to those resources.

What is CORS?

CORS is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It works by adding new HTTP headers that let servers describe which origins are permitted to read that information from a web browser.

CORS also relies on a mechanism by which browsers make a “preflight” request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

The most common and problematic security issue when implementing CORS is the failure to validate/whitelist requestors. Too often, we see the value for Access-Control-Allow-Origin set to ‘*’.

Unfortunately, this is the default and as such allows any domain on the web to access that site’s resources.

As per the OWASP Application Security Verification Standard (ASVS), requirement 14.5.3 states

Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted domains and subdomains to match against and does not support the "null" origin.

How Does corsair_scan work?

Corsair_scan works by resending a request (or list of requests) received as a parameter and then injecting a value in the Origin header. Depending on the content of the Access-Control-Allow-Origin header in the response to this request, we can assert if CORS configuration is correct or not. There are three scenarios that indicate that CORS is misconfigured:

  • The fake origin sent in the request is reflected in Access-Control-Allow-Origin
  • The value of Access-Control-Allow-Origin is *
  • The value of Access-Control-Allow-Origin is null

If CORS is found to be misconfigured, we check to see if the response contains the header Access-Control-Allow-Credentials, which means that the server allows credentials to be included on cross-origin requests.

Often, CORS configurations make use of wildcards, for example accepting anything under * example.com *. This means that the origin domain.com.evil.com will be accepted as it matches the given regex. To try and combat this, corsair_scan tests four scenarios:

  • Fake domain injection: We set the origin header to https://scarymonster.com, even if the original request doesn't have an origin header
  • If the original request has an origin header (for clarity, lets assume it is https://example.com):
    • Pre-domain injection: We concatenate our fake domain to the original domain on the left. In our example, the origin will be set to https://scarymonsterexample.com
    • Post-domain injection: The opposite of pre-domain, just concatenation on the right. The origin will be https://example.com.scarymonster.com
    • Sub-domain injection: Sometimes the CORS configuration whitelists all the subdomains under a given domain. Although it is not a problem per-se, if one of the domains is vulnerable to XSS, then, it can be a serious problem. The origin in this scenario will be https://scarymonster.example.com

How Do I Install It?

This project was developed with Python 3.9, but should work with any Python 3.x version.

corsair_scan has been designed to be used as a Python module , so the easiest way to install it is using pip.

pip3 install corsair_scan --user

How Do I Use It?

At the moment, corsair_scan is intended to be used as a Python package. However, we plan to release this as a command line tool (CLI) in future releases.

The method that performs the CORS scan is corsair_scan. Here is its definition:

corsair_scan

Receives a list of requests and a parameter to enable/disable certificate check in the request

Input:

  • data [List]: A list of requests. Each request is a dictionary that contains the relevant data for the request:

    • url_data [Dict]: This is a dictionary that contains all the relevant data for the request:
      • url [String]: This is the url where the request is sent
      • verb [String]: The verb for the request (get, post, patch, delete, options...)
      • params [String]: The body sent in the request (if any)
      • headers [Dict]: This is a dict with all the headers included in the request
  • verify [Boolean] [Default: True] : Sends this value to corsair_scan_single_url for each request

Output:

  • final_report [List]: Contains the full report for the test performed. If filter is set to true, it also adds a summary of the test to the report.
    • report [List]: List of detailed individual reports with the test performed
    • summary [Dict] : Summary of the issues detected in the scan

Example

import corsair_scan
url_data = {}
data = []
verb =  'GET'
url = 'https://example.com/'
params = 'user=user1&password=1234'
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
           'Accept-Language': 'en-GB,en;q=0.5', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1',
           'Origin': 'https://example.com',
           'Host': 'example.com'}

url_data['verb'] = verb
url_data['url'] = url
url_data['params'] = params
url_data['headers'] = headers
data.append(url_data)

print (corsair_scan.corsair_scan(data, verify=True))

Response:

{'report': [{'fake_origin': {'Access-Control-Allow-Origin': 'https://scarymonster.com',
                             'Origin': 'https://scarymonster.com',
                             'credentials': True,
                             'error': False,
                             'misconfigured': True,
                             'status_code': 200},
             'post-domain': {'Access-Control-Allow-Origin': 'https://example.com.scarymonster.com',
                             'Origin': 'https://example.com.scarymonster.com',
                             'credentials': True,
                             'error': False,
                             'misconfigured': True,
                             'status_code': 200},
             'pre-domain': {'Access-Control-Allow-Origin': 'https://scarymonsterexample.com',
                            'Origin': ' https://scarymonsterexample.com',
                            'credentials': True,
                            'error': False,
                            'misconfigured': True,
                            'status_code': 200},
             'sub-domain': {'Access-Control-Allow-Origin': 'https://scarymonster.example.com',
                            'Origin': 'https://scarymonster.example.com',
                            'credentials': True,
                            'error': False,
                            'misconfigured': True,
                            'status_code': 200},
             'url': 'https://example.com/',
             'verb': 'GET'}],
 'summary': {'error': [], 'misconfigured': [{'credentials': True,
                    'misconfigured_test': ['fake_origin',
                                           'sub-domain',
                                           'pre-domain',
                                           'post-domain'],
                    'status_code': 200,
                    'url': 'https://domain.com',
                    'verb': 'GET'}]}}

Roadmap

  • Release corsair_scan as a CLI tool
  • Read url data from a text file
  • Improve reports format

Who Is Behind It?

Corsair_scan was developed by the Santander UK Security Engineering team who are:

Comments
  • Add option to scan even if no origin header was present.

    Add option to scan even if no origin header was present.

    • Corsair_scan version: 0.2.0
    • Python version: 3.7
    • Operating System: Pop!_OS

    Description

    Some CORS setups may only respond with CORS headers if the request's Origin header was accepted/allow-listed. However, the current functionality only continues to scan if the server responded with a CORS header for the origin https://scarymonster.com.

    https://github.com/Santandersecurityresearch/corsair_scan/blob/35428a754d4c48baf4660402d90896b2bc20c49f/corsair_scan/corsair_scan.py#L44

    It'd be great if the tool tried each of the CORS tests without this check, as this could miss some valid results.

    opened by CoreyD97 9
  • AttributeError: module 'corsair_scan' has no attribute 'corsair_scan'

    AttributeError: module 'corsair_scan' has no attribute 'corsair_scan'

    • Corsair_scan version: latest
    • Python version: Python 3.8.5
    • Operating System: Debian 10

    Description

    Trying to run the provided example, I receive the following error:

    Traceback (most recent call last):
      File "/usr/local/bin/corsair", line 18, in <module>
        print (corsair_scan.corsair_scan(data, verify=True))
    AttributeError: module 'corsair_scan' has no attribute 'corsair_scan'
    

    Is there something I'm missing? Really curious to try your tool. Thanks.

    What I Did

    Ran the provided example.

    bug documentation 
    opened by MauroEldritch 5
  • Bump pytest from 6.2.4 to 7.1.3

    Bump pytest from 6.2.4 to 7.1.3

    Bumps pytest from 6.2.4 to 7.1.3.

    Release notes

    Sourced from pytest's releases.

    7.1.3

    pytest 7.1.3 (2022-08-31)

    Bug Fixes

    • #10060: When running with --pdb, TestCase.tearDown is no longer called for tests when the class has been skipped via unittest.skip or pytest.mark.skip.
    • #10190: Invalid XML characters in setup or teardown error messages are now properly escaped for JUnit XML reports.
    • #10230: Ignore .py files created by pyproject.toml-based editable builds introduced in pip 21.3.
    • #3396: Doctests now respect the --import-mode flag.
    • #9514: Type-annotate FixtureRequest.param as Any as a stop gap measure until 8073{.interpreted-text role="issue"} is fixed.
    • #9791: Fixed a path handling code in rewrite.py that seems to work fine, but was incorrect and fails in some systems.
    • #9917: Fixed string representation for pytest.approx{.interpreted-text role="func"} when used to compare tuples.

    Improved Documentation

    • #9937: Explicit note that tmpdir{.interpreted-text role="fixture"} fixture is discouraged in favour of tmp_path{.interpreted-text role="fixture"}.

    Trivial/Internal Changes

    7.1.2

    pytest 7.1.2 (2022-04-23)

    Bug Fixes

    • #9726: An unnecessary numpy import inside pytest.approx{.interpreted-text role="func"} was removed.
    • #9820: Fix comparison of dataclasses with InitVar.
    • #9869: Increase stacklevel for the NODE_CTOR_FSPATH_ARG deprecation to point to the user's code, not pytest.
    • #9871: Fix a bizarre (and fortunately rare) bug where the [temp_path]{.title-ref} fixture could raise an internal error while attempting to get the current user's username.

    7.1.1

    pytest 7.1.1 (2022-03-17)

    Bug Fixes

    • #9767: Fixed a regression in pytest 7.1.0 where some conftest.py files outside of the source tree (e.g. in the [site-packages]{.title-ref} directory) were not picked up.

    7.1.0

    pytest 7.1.0 (2022-03-13)

    ... (truncated)

    Commits
    • 4645bcd Remove incorrect output in how-to/fixtures.rst
    • fadfb4f Prepare release version 7.1.3
    • ab96ea8 Merge pull request #10258 from pytest-dev/backport-10252-to-7.1.x
    • fc0e024 [7.1.x] Fix regendoc
    • 8f5088f Merge pull request #10249 from pytest-dev/backport-10231-to-7.1.x
    • aae93d6 Ignore type-errors related to attr.asdict
    • 71b79fc [7.1.x] Ignore editable installation modules
    • 89f7518 Merge pull request #10222 from pytest-dev/backport-10171-to-7.1.x
    • 88fc45b [7.1.x] Update fixtures.rst w/ finalizer order
    • d0b53d6 Merge pull request #10221 from pytest-dev/backport-10217-to-7.1.x
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump flake8 from 3.9.2 to 5.0.4

    Bump flake8 from 3.9.2 to 5.0.4

    Bumps flake8 from 3.9.2 to 5.0.4.

    Commits
    • 6027577 Release 5.0.4
    • 213e006 Merge pull request #1653 from asottile/lower-bound-importlib-metadata
    • e94ee2b require sufficiently new importlib-metadata
    • 318a86a Merge pull request #1646 from televi/main
    • 7b8b374 Clarify entry point naming
    • 7160561 Merge pull request #1649 from PyCQA/pre-commit-ci-update-config
    • 84d56a8 [pre-commit.ci] pre-commit autoupdate
    • ff6569b Release 5.0.3
    • e76b59a Merge pull request #1648 from PyCQA/invalid-syntax-partial-parse
    • 25e8ff1 ignore config files that partially parse as flake8 configs
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump flake8 from 3.9.2 to 5.0.3

    Bump flake8 from 3.9.2 to 5.0.3

    Bumps flake8 from 3.9.2 to 5.0.3.

    Commits
    • ff6569b Release 5.0.3
    • e76b59a Merge pull request #1648 from PyCQA/invalid-syntax-partial-parse
    • 25e8ff1 ignore config files that partially parse as flake8 configs
    • 70c0b3d Release 5.0.2
    • 5e69ba9 Merge pull request #1642 from PyCQA/no-home
    • 8b51ee4 skip skipping home if home does not exist
    • 446b18d Merge pull request #1641 from PyCQA/entry-points-not-pickleable
    • b70d7a2 work around un-pickleabiliy of EntryPoint in 3.8.0
    • 91a7fa9 fix order of release notes
    • 405cfe0 Release 5.0.1
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump flake8 from 3.9.2 to 5.0.2

    Bump flake8 from 3.9.2 to 5.0.2

    Bumps flake8 from 3.9.2 to 5.0.2.

    Commits
    • 70c0b3d Release 5.0.2
    • 5e69ba9 Merge pull request #1642 from PyCQA/no-home
    • 8b51ee4 skip skipping home if home does not exist
    • 446b18d Merge pull request #1641 from PyCQA/entry-points-not-pickleable
    • b70d7a2 work around un-pickleabiliy of EntryPoint in 3.8.0
    • 91a7fa9 fix order of release notes
    • 405cfe0 Release 5.0.1
    • d20bb97 Merge pull request #1631 from PyCQA/dupe-sys-path
    • fce93b9 prevent duplicate plugin discovery on misconfigured pythons
    • 3f4872a Merge pull request #1628 from mxr/patch-1
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump twine from 3.4.1 to 4.0.1

    Bump twine from 3.4.1 to 4.0.1

    Bumps twine from 3.4.1 to 4.0.1.

    Release notes

    Sourced from twine's releases.

    4.0.1

    https://pypi.org/project/twine/4.0.1/

    Changelog

    4.0.0

    https://pypi.org/project/twine/4.0.0/

    Changelog

    3.8.0

    https://pypi.org/project/twine/3.8.0/

    Changelog

    3.7.1

    https://pypi.org/project/twine/3.7.1/

    Changelog

    3.7.0

    https://pypi.org/project/twine/3.7.0/

    Changelog

    3.6.0

    https://pypi.org/project/twine/3.6.0/

    Changelog

    3.5.0

    https://pypi.org/project/twine/3.5.0/

    Changelog

    3.4.2

    https://pypi.org/project/twine/3.4.2/

    Changelog

    Changelog

    Sourced from twine's changelog.

    Twine 4.0.1 (2022-06-01)

    Bugfixes ^^^^^^^^

    • Improve logging when keyring fails. ([#890](https://github.com/pypa/twine/issues/890) <https://github.com/pypa/twine/issues/890>_)
    • Reconfgure root logger to show all log messages. ([#896](https://github.com/pypa/twine/issues/896) <https://github.com/pypa/twine/issues/896>_)

    Twine 4.0.0 (2022-03-31)

    Features ^^^^^^^^

    • Drop support for Python 3.6. ([#869](https://github.com/pypa/twine/issues/869) <https://github.com/pypa/twine/issues/869>_)
    • Use Rich to add color to upload output. ([#851](https://github.com/pypa/twine/issues/851) <https://github.com/pypa/twine/issues/851>_)
    • Use Rich to add color to check output. ([#874](https://github.com/pypa/twine/issues/874) <https://github.com/pypa/twine/issues/874>_)
    • Use Rich instead of tqdm for upload progress bar. ([#877](https://github.com/pypa/twine/issues/877) <https://github.com/pypa/twine/issues/877>_)

    Bugfixes ^^^^^^^^

    • Remove Twine's dependencies from the User-Agent header when uploading. ([#871](https://github.com/pypa/twine/issues/871) <https://github.com/pypa/twine/issues/871>_)
    • Improve detection of disabled BLAKE2 hashing due to FIPS mode. ([#879](https://github.com/pypa/twine/issues/879) <https://github.com/pypa/twine/issues/879>_)
    • Restore warning for missing long_description. ([#887](https://github.com/pypa/twine/issues/887) <https://github.com/pypa/twine/issues/887>_)

    Twine 3.8.0 (2022-02-02)

    Features ^^^^^^^^

    • Add --verbose logging for querying keyring credentials. ([#849](https://github.com/pypa/twine/issues/849) <https://github.com/pypa/twine/issues/849>_)
    • Log all upload responses with --verbose. ([#859](https://github.com/pypa/twine/issues/859) <https://github.com/pypa/twine/issues/859>_)
    • Show more helpful error message for invalid metadata. ([#861](https://github.com/pypa/twine/issues/861) <https://github.com/pypa/twine/issues/861>_)

    Bugfixes ^^^^^^^^

    • Require a recent version of urllib3. ([#858](https://github.com/pypa/twine/issues/858) <https://github.com/pypa/twine/issues/858>_)

    Twine 3.7.1 (2021-12-07)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump pytest from 6.2.4 to 7.1.2

    Bump pytest from 6.2.4 to 7.1.2

    Bumps pytest from 6.2.4 to 7.1.2.

    Release notes

    Sourced from pytest's releases.

    7.1.2

    pytest 7.1.2 (2022-04-23)

    Bug Fixes

    • #9726: An unnecessary numpy import inside pytest.approx{.interpreted-text role="func"} was removed.
    • #9820: Fix comparison of dataclasses with InitVar.
    • #9869: Increase stacklevel for the NODE_CTOR_FSPATH_ARG deprecation to point to the user's code, not pytest.
    • #9871: Fix a bizarre (and fortunately rare) bug where the [temp_path]{.title-ref} fixture could raise an internal error while attempting to get the current user's username.

    7.1.1

    pytest 7.1.1 (2022-03-17)

    Bug Fixes

    • #9767: Fixed a regression in pytest 7.1.0 where some conftest.py files outside of the source tree (e.g. in the [site-packages]{.title-ref} directory) were not picked up.

    7.1.0

    pytest 7.1.0 (2022-03-13)

    Breaking Changes

    • #8838: As per our policy, the following features have been deprecated in the 6.X series and are now removed:

      • pytest._fillfuncargs function.
      • pytest_warning_captured hook - use pytest_warning_recorded instead.
      • -k -foobar syntax - use -k 'not foobar' instead.
      • -k foobar: syntax.
      • pytest.collect module - import from pytest directly.

      For more information consult Deprecations and Removals in the docs.

    • #9437: Dropped support for Python 3.6, which reached end-of-life at 2021-12-23.

    Improvements

    • #5192: Fixed test output for some data types where -v would show less information.

      Also, when showing diffs for sequences, -q would produce full diffs instead of the expected diff.

    ... (truncated)

    Commits
    • 2f2f1a6 Prepare release version 7.1.2
    • 5c04f3a [7.1.x] Fix wrong log_file docs (#9879)
    • 078733c Merge pull request #9872 from pytest-dev/backport-9871-to-7.1.x
    • 3a7ead6 [7.1.x] fix: move 'import getpass' statement to try-clause
    • 6d75333 [7.1.x] Increase stacklevel to point at user's code (#9870)
    • ddbb998 [7.1.x] Increase stacklevel to point at user's code
    • 0ec5886 Merge pull request #9855 from pytest-dev/backport-9854-to-7.1.x
    • f2469fc [7.1.x] Docs: link to easy issues in contributing guide
    • 94ec0f8 Merge pull request #9846 from pytest-dev/backport-9842-to-7.1.x
    • 5ef96fd [7.1.x] fix comparison of dataclasses with InitVar
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump twine from 3.4.1 to 4.0.0

    Bump twine from 3.4.1 to 4.0.0

    Bumps twine from 3.4.1 to 4.0.0.

    Release notes

    Sourced from twine's releases.

    3.8.0

    https://pypi.org/project/twine/3.8.0/

    Changelog

    3.7.1

    https://pypi.org/project/twine/3.7.1/

    Changelog

    3.7.0

    https://pypi.org/project/twine/3.7.0/

    Changelog

    3.6.0

    https://pypi.org/project/twine/3.6.0/

    Changelog

    3.5.0

    https://pypi.org/project/twine/3.5.0/

    Changelog

    3.4.2

    https://pypi.org/project/twine/3.4.2/

    Changelog

    Changelog

    Sourced from twine's changelog.

    Twine 4.0.0 (2022-03-31)

    Features ^^^^^^^^

    • Drop support for Python 3.6. ([#869](https://github.com/pypa/twine/issues/869) <https://github.com/pypa/twine/issues/869>_)
    • Use Rich to add color to upload output. ([#851](https://github.com/pypa/twine/issues/851) <https://github.com/pypa/twine/issues/851>_)
    • Use Rich to add color to check output. ([#874](https://github.com/pypa/twine/issues/874) <https://github.com/pypa/twine/issues/874>_)
    • Use Rich instead of tqdm for upload progress bar. ([#877](https://github.com/pypa/twine/issues/877) <https://github.com/pypa/twine/issues/877>_)

    Bugfixes ^^^^^^^^

    • Remove Twine's dependencies from the User-Agent header when uploading. ([#871](https://github.com/pypa/twine/issues/871) <https://github.com/pypa/twine/issues/871>_)
    • Improve detection of disabled BLAKE2 hashing due to FIPS mode. ([#879](https://github.com/pypa/twine/issues/879) <https://github.com/pypa/twine/issues/879>_)
    • Restore warning for missing long_description. ([#887](https://github.com/pypa/twine/issues/887) <https://github.com/pypa/twine/issues/887>_)

    Twine 3.8.0 (2022-02-02)

    Features ^^^^^^^^

    • Add --verbose logging for querying keyring credentials. ([#849](https://github.com/pypa/twine/issues/849) <https://github.com/pypa/twine/issues/849>_)
    • Log all upload responses with --verbose. ([#859](https://github.com/pypa/twine/issues/859) <https://github.com/pypa/twine/issues/859>_)
    • Show more helpful error message for invalid metadata. ([#861](https://github.com/pypa/twine/issues/861) <https://github.com/pypa/twine/issues/861>_)

    Bugfixes ^^^^^^^^

    • Require a recent version of urllib3. ([#858](https://github.com/pypa/twine/issues/858) <https://github.com/pypa/twine/issues/858>_)

    Twine 3.7.1 (2021-12-07)

    Improved Documentation ^^^^^^^^^^^^^^^^^^^^^^

    • Fix broken link to packaging tutorial. ([#844](https://github.com/pypa/twine/issues/844) <https://github.com/pypa/twine/issues/844>_)

    Twine 3.7.0 (2021-12-01)

    Features

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump pytest from 6.2.4 to 7.1.1

    Bump pytest from 6.2.4 to 7.1.1

    Bumps pytest from 6.2.4 to 7.1.1.

    Release notes

    Sourced from pytest's releases.

    7.1.1

    pytest 7.1.1 (2022-03-17)

    Bug Fixes

    • #9767: Fixed a regression in pytest 7.1.0 where some conftest.py files outside of the source tree (e.g. in the [site-packages]{.title-ref} directory) were not picked up.

    7.1.0

    pytest 7.1.0 (2022-03-13)

    Breaking Changes

    • #8838: As per our policy, the following features have been deprecated in the 6.X series and are now removed:

      • pytest._fillfuncargs function.
      • pytest_warning_captured hook - use pytest_warning_recorded instead.
      • -k -foobar syntax - use -k 'not foobar' instead.
      • -k foobar: syntax.
      • pytest.collect module - import from pytest directly.

      For more information consult Deprecations and Removals in the docs.

    • #9437: Dropped support for Python 3.6, which reached end-of-life at 2021-12-23.

    Improvements

    • #5192: Fixed test output for some data types where -v would show less information.

      Also, when showing diffs for sequences, -q would produce full diffs instead of the expected diff.

    • #9362: pytest now avoids specialized assert formatting when it is detected that the default __eq__ is overridden in attrs or dataclasses.

    • #9536: When -vv is given on command line, show skipping and xfail reasons in full instead of truncating them to fit the terminal width.

    • #9644: More information about the location of resources that led Python to raise ResourceWarning{.interpreted-text role="class"} can now be obtained by enabling tracemalloc{.interpreted-text role="mod"}.

      See resource-warnings{.interpreted-text role="ref"} for more information.

    • #9678: More types are now accepted in the ids argument to @pytest.mark.parametrize. Previously only [str]{.title-ref}, [float]{.title-ref}, [int]{.title-ref} and [bool]{.title-ref} were accepted; now [bytes]{.title-ref}, [complex]{.title-ref}, [re.Pattern]{.title-ref}, [Enum]{.title-ref} and anything with a [__name__]{.title-ref} are also accepted.

    • #9692: pytest.approx{.interpreted-text role="func"} now raises a TypeError{.interpreted-text role="class"} when given an unordered sequence (such as set{.interpreted-text role="class"}).

      Note that this implies that custom classes which only implement __iter__ and __len__ are no longer supported as they don't guarantee order.

    ... (truncated)

    Commits
    • 0ffe9e0 Prepare release version 7.1.1
    • 6f2c1ec Merge pull request #9784 from pytest-dev/backport-9768-to-7.1.x
    • a65c47a Merge pull request #9783 from pytest-dev/backport-9780-to-7.1.x
    • 30d995e [pre-commit.ci] auto fixes from pre-commit.com hooks
    • 10a14d1 [7.1.x] testing: fix tests when run under -v or -vv
    • f4cfc59 [pre-commit.ci] auto fixes from pre-commit.com hooks
    • f1df807 [7.1.x] config: restore pre-pytest 7.1.0 confcutdir exclusion behavior
    • 7d4d1ec Merge pull request #9758 from pytest-dev/release-7.1.0
    • 1dbffcc [pre-commit.ci] auto fixes from pre-commit.com hooks
    • d53a5fb Prepare release version 7.1.0
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump pytest from 6.2.4 to 7.1.0

    Bump pytest from 6.2.4 to 7.1.0

    Bumps pytest from 6.2.4 to 7.1.0.

    Release notes

    Sourced from pytest's releases.

    7.1.0

    pytest 7.1.0 (2022-03-13)

    Breaking Changes

    • #8838: As per our policy, the following features have been deprecated in the 6.X series and are now removed:

      • pytest._fillfuncargs function.
      • pytest_warning_captured hook - use pytest_warning_recorded instead.
      • -k -foobar syntax - use -k 'not foobar' instead.
      • -k foobar: syntax.
      • pytest.collect module - import from pytest directly.

      For more information consult Deprecations and Removals in the docs.

    • #9437: Dropped support for Python 3.6, which reached end-of-life at 2021-12-23.

    Improvements

    • #5192: Fixed test output for some data types where -v would show less information.

      Also, when showing diffs for sequences, -q would produce full diffs instead of the expected diff.

    • #9362: pytest now avoids specialized assert formatting when it is detected that the default __eq__ is overridden in attrs or dataclasses.

    • #9536: When -vv is given on command line, show skipping and xfail reasons in full instead of truncating them to fit the terminal width.

    • #9644: More information about the location of resources that led Python to raise ResourceWarning{.interpreted-text role="class"} can now be obtained by enabling tracemalloc{.interpreted-text role="mod"}.

      See resource-warnings{.interpreted-text role="ref"} for more information.

    • #9678: More types are now accepted in the ids argument to @pytest.mark.parametrize. Previously only [str]{.title-ref}, [float]{.title-ref}, [int]{.title-ref} and [bool]{.title-ref} were accepted; now [bytes]{.title-ref}, [complex]{.title-ref}, [re.Pattern]{.title-ref}, [Enum]{.title-ref} and anything with a [__name__]{.title-ref} are also accepted.

    • #9692: pytest.approx{.interpreted-text role="func"} now raises a TypeError{.interpreted-text role="class"} when given an unordered sequence (such as set{.interpreted-text role="class"}).

      Note that this implies that custom classes which only implement __iter__ and __len__ are no longer supported as they don't guarantee order.

    Bug Fixes

    • #8242: The deprecation of raising unittest.SkipTest{.interpreted-text role="class"} to skip collection of tests during the pytest collection phase is reverted - this is now a supported feature again.
    • #9493: Symbolic link components are no longer resolved in conftest paths. This means that if a conftest appears twice in collection tree, using symlinks, it will be executed twice.

    ... (truncated)

    Commits
    • 1dbffcc [pre-commit.ci] auto fixes from pre-commit.com hooks
    • d53a5fb Prepare release version 7.1.0
    • d306ec0 Update upcoming trainings (#9744)
    • 3e4c14b Merge pull request #9751 from fabianegli/main
    • 7f924b1 Fix typo in deprecation documentation
    • 4a8f8ad build(deps): Bump django from 4.0.2 to 4.0.3 in /testing/plugins_integration ...
    • c0fd2d8 build(deps): Bump pytest-asyncio from 0.18.1 to 0.18.2 in /testing/plugins_in...
    • 843e018 Merge pull request #9732 from nicoddemus/9730-toml-failure
    • bc43d66 [automated] Update plugin list (#9733)
    • e38d1ca Improve error message for malformed pyproject.toml files
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump twine from 3.4.1 to 4.0.2

    Bump twine from 3.4.1 to 4.0.2

    Bumps twine from 3.4.1 to 4.0.2.

    Release notes

    Sourced from twine's releases.

    4.0.2

    https://pypi.org/project/twine/4.0.2/

    Changelog

    4.0.1

    https://pypi.org/project/twine/4.0.1/

    Changelog

    4.0.0

    https://pypi.org/project/twine/4.0.0/

    Changelog

    3.8.0

    https://pypi.org/project/twine/3.8.0/

    Changelog

    3.7.1

    https://pypi.org/project/twine/3.7.1/

    Changelog

    3.7.0

    https://pypi.org/project/twine/3.7.0/

    Changelog

    3.6.0

    https://pypi.org/project/twine/3.6.0/

    Changelog

    3.5.0

    https://pypi.org/project/twine/3.5.0/

    Changelog

    3.4.2

    https://pypi.org/project/twine/3.4.2/

    Changelog

    Changelog

    Sourced from twine's changelog.

    Twine 4.0.2 (2022-11-30)

    Bugfixes ^^^^^^^^

    • Remove deprecated function to fix twine check with pkginfo 1.9.0. ([#941](https://github.com/pypa/twine/issues/941) <https://github.com/pypa/twine/issues/941>_)

    Twine 4.0.1 (2022-06-01)

    Bugfixes ^^^^^^^^

    • Improve logging when keyring fails. ([#890](https://github.com/pypa/twine/issues/890) <https://github.com/pypa/twine/issues/890>_)
    • Reconfgure root logger to show all log messages. ([#896](https://github.com/pypa/twine/issues/896) <https://github.com/pypa/twine/issues/896>_)

    Twine 4.0.0 (2022-03-31)

    Features ^^^^^^^^

    • Drop support for Python 3.6. ([#869](https://github.com/pypa/twine/issues/869) <https://github.com/pypa/twine/issues/869>_)
    • Use Rich to add color to upload output. ([#851](https://github.com/pypa/twine/issues/851) <https://github.com/pypa/twine/issues/851>_)
    • Use Rich to add color to check output. ([#874](https://github.com/pypa/twine/issues/874) <https://github.com/pypa/twine/issues/874>_)
    • Use Rich instead of tqdm for upload progress bar. ([#877](https://github.com/pypa/twine/issues/877) <https://github.com/pypa/twine/issues/877>_)

    Bugfixes ^^^^^^^^

    • Remove Twine's dependencies from the User-Agent header when uploading. ([#871](https://github.com/pypa/twine/issues/871) <https://github.com/pypa/twine/issues/871>_)
    • Improve detection of disabled BLAKE2 hashing due to FIPS mode. ([#879](https://github.com/pypa/twine/issues/879) <https://github.com/pypa/twine/issues/879>_)
    • Restore warning for missing long_description. ([#887](https://github.com/pypa/twine/issues/887) <https://github.com/pypa/twine/issues/887>_)

    Twine 3.8.0 (2022-02-02)

    Features ^^^^^^^^

    • Add --verbose logging for querying keyring credentials. ([#849](https://github.com/pypa/twine/issues/849) <https://github.com/pypa/twine/issues/849>_)
    • Log all upload responses with --verbose. ([#859](https://github.com/pypa/twine/issues/859) <https://github.com/pypa/twine/issues/859>_)
    • Show more helpful error message for invalid metadata. ([#861](https://github.com/pypa/twine/issues/861) <https://github.com/pypa/twine/issues/861>_)

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Bump flake8 from 3.9.2 to 6.0.0

    Bump flake8 from 3.9.2 to 6.0.0

    Bumps flake8 from 3.9.2 to 6.0.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Add CodeQL workflow for GitHub code scanning

    Add CodeQL workflow for GitHub code scanning

    Hi Santandersecurityresearch/corsair_scan!

    This is a one-off automatically generated pull request from LGTM.com :robot:. You might have heard that we’ve integrated LGTM’s underlying CodeQL analysis engine natively into GitHub. The result is GitHub code scanning!

    With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our blog post for more information.

    This pull request enables code scanning by adding an auto-generated codeql.yml workflow file for GitHub Actions to your repository — take a look! We tested it before opening this pull request, so all should be working :heavy_check_mark:. In fact, you might already have seen some alerts appear on this pull request!

    Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check this page for detailed documentation.

    Questions? Check out the FAQ below!

    FAQ

    Click here to expand the FAQ section

    How often will the code scanning analysis run?

    By default, code scanning will trigger a scan with the CodeQL engine on the following events:

    • On every pull request — to flag up potential security problems for you to investigate before merging a PR.
    • On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
    • Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

    What will this cost?

    Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

    What types of problems does CodeQL find?

    The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

    How do I upgrade my CodeQL engine?

    No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

    The analysis doesn’t seem to be working

    If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

    How do I disable LGTM.com?

    If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

    Which source code hosting platforms does code scanning support?

    GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

    How do I know this PR is legitimate?

    This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

    I have another question / how do I get in touch?

    Please join the discussion here to ask further questions and send us suggestions!

    opened by lgtm-com[bot] 0
  • Bump pytest from 6.2.4 to 7.2.0

    Bump pytest from 6.2.4 to 7.2.0

    Bumps pytest from 6.2.4 to 7.2.0.

    Release notes

    Sourced from pytest's releases.

    7.2.0

    pytest 7.2.0 (2022-10-23)

    Deprecations

    • #10012: Update pytest.PytestUnhandledCoroutineWarning{.interpreted-text role="class"} to a deprecation; it will raise an error in pytest 8.

    • #10396: pytest no longer depends on the py library. pytest provides a vendored copy of py.error and py.path modules but will use the py library if it is installed. If you need other py.* modules, continue to install the deprecated py library separately, otherwise it can usually be removed as a dependency.

    • #4562: Deprecate configuring hook specs/impls using attributes/marks.

      Instead use :pypytest.hookimpl{.interpreted-text role="func"} and :pypytest.hookspec{.interpreted-text role="func"}. For more details, see the docs <legacy-path-hooks-deprecated>{.interpreted-text role="ref"}.

    • #9886: The functionality for running tests written for nose has been officially deprecated.

      This includes:

      • Plain setup and teardown functions and methods: this might catch users by surprise, as setup() and teardown() are not pytest idioms, but part of the nose support.
      • Setup/teardown using the @​with_setup decorator.

      For more details, consult the deprecation docs <nose-deprecation>{.interpreted-text role="ref"}.

    Features

    • #9897: Added shell-style wildcard support to testpaths.

    Improvements

    • #10218: @pytest.mark.parametrize() (and similar functions) now accepts any Sequence[str] for the argument names, instead of just list[str] and tuple[str, ...].

      (Note that str, which is itself a Sequence[str], is still treated as a comma-delimited name list, as before).

    • #10381: The --no-showlocals flag has been added. This can be passed directly to tests to override --showlocals declared through addopts.

    • #3426: Assertion failures with strings in NFC and NFD forms that normalize to the same string now have a dedicated error message detailing the issue, and their utf-8 representation is expresed instead.

    • #7337: A warning is now emitted if a test function returns something other than [None]{.title-ref}. This prevents a common mistake among beginners that expect that returning a [bool]{.title-ref} (for example [return foo(a, b) == result]{.title-ref}) would cause a test to pass or fail, instead of using [assert]{.title-ref}.

    • #8508: Introduce multiline display for warning matching via :pypytest.warns{.interpreted-text role="func"} and enhance match comparison for :py_pytest._code.ExceptionInfo.match{.interpreted-text role="func"} as returned by :pypytest.raises{.interpreted-text role="func"}.

    • #8646: Improve :pypytest.raises{.interpreted-text role="func"}. Previously passing an empty tuple would give a confusing error. We now raise immediately with a more helpful message.

    • #9741: On Python 3.11, use the standard library's tomllib{.interpreted-text role="mod"} to parse TOML.

      tomli{.interpreted-text role="mod"}` is no longer a dependency on Python 3.11.

    • #9742: Display assertion message without escaped newline characters with -vv.

    • #9823: Improved error message that is shown when no collector is found for a given file.

    ... (truncated)

    Commits
    • 3af3f56 Prepare release version 7.2.0
    • bc2c3b6 Merge pull request #10408 from NateMeyvis/patch-2
    • d84ed48 Merge pull request #10409 from pytest-dev/asottile-patch-1
    • ffe49ac Merge pull request #10396 from pytest-dev/pylib-hax
    • d352098 allow jobs to pass if codecov.io fails
    • c5c562b Fix typos in CONTRIBUTING.rst
    • d543a45 add deprecation changelog for py library vendoring
    • f341a5c Merge pull request #10407 from NateMeyvis/patch-1
    • 1027dc8 [pre-commit.ci] auto fixes from pre-commit.com hooks
    • 6b905ee Add note on tags to CONTRIBUTING.rst
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Bump pytest-cov from 2.12.0 to 4.0.0

    Bump pytest-cov from 2.12.0 to 4.0.0

    Bumps pytest-cov from 2.12.0 to 4.0.0.

    Changelog

    Sourced from pytest-cov's changelog.

    4.0.0 (2022-09-28)

    Note that this release drops support for multiprocessing.

    • --cov-fail-under no longer causes pytest --collect-only to fail Contributed by Zac Hatfield-Dodds in [#511](https://github.com/pytest-dev/pytest-cov/issues/511) <https://github.com/pytest-dev/pytest-cov/pull/511>_.

    • Dropped support for multiprocessing (mostly because issue 82408 <https://github.com/python/cpython/issues/82408>_). This feature was mostly working but very broken in certain scenarios and made the test suite very flaky and slow.

      There is builtin multiprocessing support in coverage and you can migrate to that. All you need is this in your .coveragerc::

      [run] concurrency = multiprocessing parallel = true sigterm = true

    • Fixed deprecation in setup.py by trying to import setuptools before distutils. Contributed by Ben Greiner in [#545](https://github.com/pytest-dev/pytest-cov/issues/545) <https://github.com/pytest-dev/pytest-cov/pull/545>_.

    • Removed undesirable new lines that were displayed while reporting was disabled. Contributed by Delgan in [#540](https://github.com/pytest-dev/pytest-cov/issues/540) <https://github.com/pytest-dev/pytest-cov/pull/540>_.

    • Documentation fixes. Contributed by Andre Brisco in [#543](https://github.com/pytest-dev/pytest-cov/issues/543) <https://github.com/pytest-dev/pytest-cov/pull/543>_ and Colin O'Dell in [#525](https://github.com/pytest-dev/pytest-cov/issues/525) <https://github.com/pytest-dev/pytest-cov/pull/525>_.

    • Added support for LCOV output format via --cov-report=lcov. Only works with coverage 6.3+. Contributed by Christian Fetzer in [#536](https://github.com/pytest-dev/pytest-cov/issues/536) <https://github.com/pytest-dev/pytest-cov/issues/536>_.

    • Modernized pytest hook implementation. Contributed by Bruno Oliveira in [#549](https://github.com/pytest-dev/pytest-cov/issues/549) <https://github.com/pytest-dev/pytest-cov/pull/549>_ and Ronny Pfannschmidt in [#550](https://github.com/pytest-dev/pytest-cov/issues/550) <https://github.com/pytest-dev/pytest-cov/pull/550>_.

    3.0.0 (2021-10-04)

    Note that this release drops support for Python 2.7 and Python 3.5.

    • Added support for Python 3.10 and updated various test dependencies. Contributed by Hugo van Kemenade in [#500](https://github.com/pytest-dev/pytest-cov/issues/500) <https://github.com/pytest-dev/pytest-cov/pull/500>_.
    • Switched from Travis CI to GitHub Actions. Contributed by Hugo van Kemenade in [#494](https://github.com/pytest-dev/pytest-cov/issues/494) <https://github.com/pytest-dev/pytest-cov/pull/494>_ and [#495](https://github.com/pytest-dev/pytest-cov/issues/495) <https://github.com/pytest-dev/pytest-cov/pull/495>_.
    • Add a --cov-reset CLI option. Contributed by Danilo Šegan in [#459](https://github.com/pytest-dev/pytest-cov/issues/459) <https://github.com/pytest-dev/pytest-cov/pull/459>_.
    • Improved validation of --cov-fail-under CLI option. Contributed by ... Ronny Pfannschmidt's desire for skark in [#480](https://github.com/pytest-dev/pytest-cov/issues/480) <https://github.com/pytest-dev/pytest-cov/pull/480>_.
    • Dropped Python 2.7 support.

    ... (truncated)

    Commits
    • 28db055 Bump version: 3.0.0 → 4.0.0
    • 57e9354 Really update the changelog.
    • 56b810b Update chagelog.
    • f7fced5 Add support for LCOV output
    • 1211d31 Fix flake8 error
    • b077753 Use modern approach to specify hook options
    • 00713b3 removed incorrect docs on data_file.
    • b3dda36 Improve workflow with a collecting status check. (#548)
    • 218419f Prevent undesirable new lines to be displayed when report is disabled
    • 60b73ec migrate build command from distutils to setuptools
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Bump bandit from 1.7.0 to 1.7.4

    Bump bandit from 1.7.0 to 1.7.4

    Bumps bandit from 1.7.0 to 1.7.4.

    Release notes

    Sourced from bandit's releases.

    1.7.4

    What's Changed

    New Contributors

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.7.3...1.7.4

    1.7.3

    What's Changed

    New Contributors

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
Owner
Santander Security Research
Santander Security Research
JSON Web Token implementation in Python

PyJWT A Python implementation of RFC 7519. Original implementation was written by @progrium. Sponsor If you want to quickly add secure token-based aut

José Padilla 4.5k Jan 09, 2023
JSON Web Token Authentication support for Django REST Framework

REST framework JWT Auth Notice This project is currently unmaintained. Check #484 for more details and suggested alternatives. JSON Web Token Authenti

José Padilla 3.2k Dec 31, 2022
Easy and secure implementation of Azure AD for your FastAPI APIs 🔒 Single- and multi-tenant support.

Easy and secure implementation of Azure AD for your FastAPI APIs 🔒 Single- and multi-tenant support.

Intility 220 Jan 05, 2023
Authentication for Django Rest Framework

Dj-Rest-Auth Drop-in API endpoints for handling authentication securely in Django Rest Framework. Works especially well with SPAs (e.g React, Vue, Ang

Michael 1.1k Jan 03, 2023
A fully tested, abstract interface to creating OAuth clients and servers.

Note: This library implements OAuth 1.0 and not OAuth 2.0. Overview python-oauth2 is a python oauth library fully compatible with python versions: 2.6

Joe Stump 3k Jan 02, 2023
Includes Automation and Personal Projects

Python Models, and Connect Forclient & OpenCv projects Completed Automation** Alarm (S

tushar malhan 1 Jan 15, 2022
python-social-auth and oauth2 support for django-rest-framework

Django REST Framework Social OAuth2 This module provides OAuth2 social authentication support for applications in Django REST Framework. The aim of th

1k Dec 22, 2022
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

OAuthLib - Python Framework for OAuth1 & OAuth2 *A generic, spec-compliant, thorough implementation of the OAuth request-signing logic for Python 3.5+

OAuthlib 2.5k Jan 02, 2023
This is a Python library for accessing resources protected by OAuth 2.0.

This is a client library for accessing resources protected by OAuth 2.0. Note: oauth2client is now deprecated. No more features will be added to the l

Google APIs 787 Dec 13, 2022
Strong, Simple, and Precise security for Flask APIs (using jwt)

flask-praetorian Strong, Simple, and Precise security for Flask APIs API security should be strong, simple, and precise like a Roman Legionary. This p

Tucker Beck 321 Dec 18, 2022
Luca Security Concept

Luca Security Concept This is the document source of luca's security concept. Please go here for the HTML version: https://luca-app.de/securityconcept

luca 43 Oct 22, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script that allows an at

Optiv Security 76 Jan 02, 2023
Minimal authorization through OO design and pure Ruby classes

Pundit Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robu

Varvet 7.8k Jan 02, 2023
A module making it easier to manage Discord oAuth with Quart

quart_discord A module making it easier to manage Discord oAuth with Quart Install pip install git+https://github.com/xelA/ 5 Oct 27, 2022

A simple username/password database authentication solution for Streamlit

TL;DR: This is a simple username/password login authentication solution using a backing database. Both SQLite and Airtable are supported.

Arvindra 49 Nov 25, 2022
Storefront - A store App developed using Django, RESTFul API, JWT

Storefront A store App developed using Django, RESTFul API, JWT. SQLite has been

Muhammad Algshy 1 Jan 07, 2022
Accounts for Django made beautifully simple

Django Userena Userena is a Django application that supplies your Django project with full account management. It's a fully customizable application t

Bread & Pepper 1.3k Sep 18, 2022
A Python tool to generate and refresh Amazon access tokens.

amazon_auth A Python tool to generate and refresh Amazon access tokens. Description This tool generates and outputs Amazon access and refresh tokens f

15 Nov 21, 2022
A simple Boilerplate to Setup Authentication using Django-allauth 🚀

A simple Boilerplate to Setup Authentication using Django-allauth, with a custom template for login and registration using django-crispy-forms.

Yasser Tahiri 13 May 13, 2022
Creation & manipulation of PyPI tokens

PyPIToken: Manipulate PyPI API tokens PyPIToken is an open-source Python 3.6+ library for generating and manipulating PyPI tokens. PyPI tokens are ver

Joachim Jablon 8 Nov 01, 2022