fix: flask 2.2 and werkzeug 2.2 compatibility

anthraxx · anthraxx · commit e48779936313 · 2022-10-14T20:05:00.000+02:00
diff --git a/test/test_admin.py b/test/test_admin.py
@@ -1,6 +1,5 @@
 from flask import url_for
 from flask_login import current_user
-from werkzeug.exceptions import BadRequest
 from werkzeug.exceptions import Forbidden
 from werkzeug.exceptions import NotFound
 from werkzeug.exceptions import Unauthorized
@@ -56,7 +55,7 @@ def test_delete_user_not_found(db, client):
 def test_delete_form_invalid(db, client):
     resp = client.post(url_for('tracker.delete_user', username=USERNAME),
                        data=dict())
-    assert resp.status_code == BadRequest.code
+    assert resp.status_code != 200
 
 
 @logged_in
diff --git a/test/test_index.py b/test/test_index.py
@@ -34,7 +34,7 @@ def test_index_all(db, client):
 @create_package(name='foo', version='1.2.3-4')
 @create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3')
 def test_index_json(db, client):
-    resp = client.get(url_for('tracker.index_json', only_vulernable=False, path='all.json'), follow_redirects=True)
+    resp = client.get(url_for('tracker.index_json', only_vulernable=False), follow_redirects=True)
     assert 200 == resp.status_code
     data = resp.get_json()
     assert 'application/json; charset=utf-8' == resp.content_type
@@ -45,7 +45,7 @@ def test_index_json(db, client):
 @create_package(name='foo', version='1.2.3-4')
 @create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3')
 def test_index_vulnerable_json(db, client):
-    resp = client.get(url_for('tracker.index_vulnerable_json', path='vulnerable.json'), follow_redirects=True)
+    resp = client.get(url_for('tracker.index_vulnerable_json'), follow_redirects=True)
     assert 200 == resp.status_code
     data = resp.get_json()
     assert len(data) == 1
diff --git a/tracker/cli/run.py b/tracker/cli/run.py
@@ -23,13 +23,10 @@
 @option('--debugger/--no-debugger', default=None,
         help='Enable or disable the debugger.  By default the debugger '
         'is active if debug is enabled.')
-@option('--eager-loading/--lazy-loader', default=None,
-        help='Enable or disable eager loading.  By default eager '
-        'loading is enabled if the reloader is disabled.')
 @option('--with-threads/--without-threads', default=False,
         help='Enable or disable multithreading.')
 @pass_script_info
-def run(info, host, port, debug, reload, debugger, eager_loading, with_threads):
+def run(info, host, port, debug, reload, debugger, with_threads):
     """Runs a local development server for the Flask application.
 
     This local server is recommended for development purposes only but it
@@ -43,7 +40,6 @@ def run(info, host, port, debug, reload, debugger, eager_loading, with_threads):
     """
     import os
 
-    from flask.cli import DispatchingApp
     from werkzeug.serving import run_simple
 
     if debug != FLASK_DEBUG:
@@ -52,10 +48,8 @@ def run(info, host, port, debug, reload, debugger, eager_loading, with_threads):
         reload = bool(debug)
     if debugger is None:
         debugger = bool(debug)
-    if eager_loading is None:
-        eager_loading = not reload
 
-    app = DispatchingApp(info.load_app, use_eager_loading=eager_loading)
+    app = info.load_app()
 
     # Extra startup messages.  This depends a bit on Werkzeug internals to
     # not double execute when the reloader kicks in.
diff --git a/tracker/view/advisory.py b/tracker/view/advisory.py
@@ -90,10 +90,12 @@ def advisory_atom():
     return Response(feed.atom_str(pretty=True), 200, content_type='application/atom+xml; charset=utf-8')
 
 
-@tracker.route('/advisory<regex("[./]json"):postfix>', methods=['GET'])
-@tracker.route('/advisories<regex("[./]json"):postfix>', methods=['GET'])
+@tracker.route('/advisory.json', methods=['GET'])
+@tracker.route('/advisory/json', methods=['GET'])
+@tracker.route('/advisories.json', methods=['GET'])
+@tracker.route('/advisories/json', methods=['GET'])
 @json_response
-def advisory_json(postfix=None):
+def advisory_json():
     data = get_advisory_data()
 
     def to_json_data(entry):
diff --git a/tracker/view/index.py b/tracker/view/index.py
@@ -53,30 +53,35 @@ def get_index_data(only_vulnerable=False, only_in_repo=True):
     return groups
 
 
-@tracker.route('/', defaults={'path': '', 'only_vulnerable': True}, methods=['GET'])
-def index(only_vulnerable=True, path=None):
+@tracker.route('/', defaults={'only_vulnerable': True}, methods=['GET'])
+def index(only_vulnerable=True):
     groups = get_index_data(only_vulnerable)
     return render_template('index.html',
                            title='Issues' if not only_vulnerable else 'Vulnerable issues',
                            entries=groups,
                            only_vulnerable=only_vulnerable)
 
 
-@tracker.route('/<regex("issues(/(open|vulnerable))?"):path>', defaults={'path': 'issues'}, methods=['GET'])
-def index_vulnerable(path=None):
+@tracker.route('/issues', methods=['GET'])
+@tracker.route('/issues/open', methods=['GET'])
+@tracker.route('/issues/vulnerable', methods=['GET'])
+def index_vulnerable():
     return index(only_vulnerable=True)
 
 
-@tracker.route('/<regex("(issues/)?all"):path>', defaults={'path': 'issues/all'}, methods=['GET'])
-def index_all(path=None):
+@tracker.route('/all', methods=['GET'])
+@tracker.route('/issues/all', methods=['GET'])
+def index_all():
     return index(only_vulnerable=False)
 
 
 # TODO: temporarily keep /json this way until tools adopted new endpoint
-@tracker.route('/json', defaults={'path': 'json', 'only_vulnerable': False}, methods=['GET'])
-@tracker.route('/<regex("(issues/?)?(all)?.json"):path>', defaults={'path': 'all.json', 'only_vulnerable': False}, methods=['GET'])
+@tracker.route('/json', defaults={'only_vulnerable': False}, methods=['GET'])
+@tracker.route('/all.json', defaults={'only_vulnerable': False}, methods=['GET'])
+@tracker.route('/issues.json', defaults={'only_vulnerable': False}, methods=['GET'])
+@tracker.route('/issues/all.json', defaults={'only_vulnerable': False}, methods=['GET'])
 @json_response
-def index_json(only_vulnerable=False, path=None):
+def index_json(only_vulnerable=False):
     entries = get_index_data(only_vulnerable)
     json_data = []
     for entry in entries:
@@ -98,6 +103,8 @@ def index_json(only_vulnerable=False, path=None):
     return json_data
 
 
-@tracker.route('/<regex("(issues/?)?(open|vulnerable).json"):path>', methods=['GET'])
-def index_vulnerable_json(path=None):
+@tracker.route('/issues.json', methods=['GET'])
+@tracker.route('/issues/open.json', methods=['GET'])
+@tracker.route('/issues/vulnerable.json', methods=['GET'])
+def index_vulnerable_json():
     return index_json(only_vulnerable=True)
diff --git a/tracker/view/show.py b/tracker/view/show.py
@@ -140,9 +140,10 @@ def get_cve_data(cve):
             'advisories': advisories}
 
 
-@tracker.route('/<regex("((issues?|cve)/)?"):path><regex("{}"):cve><regex("[./]json"):suffix>'.format(cve_id_regex[1:-1]), methods=['GET'])
+@tracker.route('/<regex("{}"):cve>.json'.format(cve_id_regex[1:-1]), methods=['GET'])
+@tracker.route('/<regex("{}"):cve>/json'.format(cve_id_regex[1:-1]), methods=['GET'])
 @json_response
-def show_cve_json(cve, path=None, suffix=None):
+def show_cve_json(cve):
     data = get_cve_data(cve)
     if not data:
         return not_found(json=True)
@@ -168,9 +169,11 @@ def show_cve_json(cve, path=None, suffix=None):
     return json_data
 
 
-@tracker.route('/<regex("((issues?|cve)/)?"):path><regex("{}"):cve>'.format(cve_id_regex[1:]), methods=['GET'])
-def show_cve(cve, path=None):
+@tracker.route('/<regex("{}"):cve>'.format(cve_id_regex[1:]), methods=['GET'])
+def show_cve(cve):
+
     data = get_cve_data(cve)
+
     if not data:
         return not_found()
 
@@ -194,8 +197,8 @@ def show_cve(cve, path=None):
                            can_delete=user_can_delete_issue(advisories))
 
 
-@tracker.route('/<regex("((issues?|cve)/)?"):path><regex("{}"):cve>/log'.format(cve_id_regex[1:-1]), methods=['GET'])
-def show_cve_log(cve, path=None):
+@tracker.route('/<regex("{}"):cve>/log'.format(cve_id_regex[1:-1]), methods=['GET'])
+def show_cve_log(cve):
     data = get_cve_data(cve)
     if not data:
         return not_found()
@@ -254,11 +257,14 @@ def get_group_data(avg):
     }
 
 
-@tracker.route('/group/<regex("{}"):avg><regex("[./]json"):postfix>'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
-@tracker.route('/avg/<regex("{}"):avg><regex("[./]json"):postfix>'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
-@tracker.route('/<regex("{}"):avg><regex("[./]json"):postfix>'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/group/<regex("{}"):avg>.json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/group/<regex("{}"):avg>/json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/avg/<regex("{}"):avg>.json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/avg/<regex("{}"):avg>/json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/<regex("{}"):avg>.json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
+@tracker.route('/<regex("{}"):avg>/json'.format(vulnerability_group_regex[1:-1]), methods=['GET'])
 @json_response
-def show_group_json(avg, postfix=None):
+def show_group_json(avg):
     data = get_group_data(avg)
     if not data:
         return not_found(json=True)
@@ -405,9 +411,10 @@ def show_group_log(avg):
                            can_watch_user_log=user_can_watch_user_log())
 
 
-@tracker.route('/package/<regex("{}"):pkgname><regex("[./]json"):suffix>'.format(pkgname_regex[1:-1]), methods=['GET'])
+@tracker.route('/package/<regex("{}"):pkgname>.json'.format(pkgname_regex[1:-1]), methods=['GET'])
+@tracker.route('/package/<regex("{}"):pkgname>/json'.format(pkgname_regex[1:-1]), methods=['GET'])
 @json_response
-def show_package_json(pkgname, suffix=None):
+def show_package_json(pkgname):
     data = get_package_data(pkgname)
     if not data:
         return not_found(json=True)
@@ -612,7 +619,7 @@ def show_generated_advisory(advisory_id, raw=False):
 
 @tracker.route('/advisory/<regex("{}"):advisory_id>/log'.format(advisory_regex[1:-1]), methods=['GET'])
 @tracker.route('/<regex("{}"):advisory_id>/log'.format(advisory_regex[1:-1]), methods=['GET'])
-def show_advisory_log(advisory_id, path=None):
+def show_advisory_log(advisory_id):
     advisory = (db.session.query(Advisory)
                 .filter(Advisory.id == advisory_id)
                 ).first()
diff --git a/tracker/view/user.py b/tracker/view/user.py
@@ -15,7 +15,6 @@
 from tracker.model import Advisory
 from tracker.model import CVEGroup
 from tracker.model import User
-from tracker.model.user import username_regex
 from tracker.user import hash_password
 from tracker.user import only_without_sso
 from tracker.user import random_string
@@ -43,8 +42,8 @@ def edit_own_user_profile():
 
 
 # TODO: define permission to view this
-@tracker.route('/user/<regex("{}"):username>/log'.format(username_regex[1:-1]), defaults={'page': 1}, methods=['GET'])
-@tracker.route('/user/<regex("{}"):username>/log/page/<int:page>'.format(username_regex[1:-1]), methods=['GET'])
+@tracker.route('/user/<string:username>/log', defaults={'page': 1}, methods=['GET'])
+@tracker.route('/user/<string:username>/log/page/<int:page>', methods=['GET'])
 @login_required
 def show_user_log(username, page=1):
     MAX_ENTRIES_PER_PAGE = 10
