diff options
| author | Robert Scott <code@humanleg.org.uk> | 2022-08-20 01:07:31 +0100 |
|---|---|---|
| committer | Robert Scott <code@humanleg.org.uk> | 2022-08-20 02:17:58 +0100 |
| commit | 8b839e5760968a40945a90697e8b0480301c4aef (patch) | |
| tree | 5d53a359d12c1603ce1d0eba93fab93f4d43fa42 | |
| parent | Merge #187393: gcc12: apply working patch for darwin-aarch64 (diff) | |
| download | nixpkgs-8b839e5760968a40945a90697e8b0480301c4aef.tar.gz | |
streamlit: add patch for CVE-2022-35918
| -rwxr-xr-x | pkgs/applications/science/machine-learning/streamlit/default.nix | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/pkgs/applications/science/machine-learning/streamlit/default.nix b/pkgs/applications/science/machine-learning/streamlit/default.nix index f439b113d1ab..b2fedfac17a8 100755 --- a/pkgs/applications/science/machine-learning/streamlit/default.nix +++ b/pkgs/applications/science/machine-learning/streamlit/default.nix @@ -3,6 +3,10 @@ lib, buildPythonApplication, fetchPypi, + fetchpatch, + + unzip, + zip, # Build inputs altair, @@ -49,6 +53,37 @@ in buildPythonApplication rec { sha256 = "1dzb68a8n8wvjppcmqdaqnh925b2dg6rywv51ac9q09zjxb6z11n"; }; + patches = [ + (fetchpatch { + name = "CVE-2022-35918.patch"; + url = "https://github.com/streamlit/streamlit/commit/80d9979d5f4a00217743d607078a1d867fad8acf.patch"; + sha256 = "sha256-AyVF/VUKUEKz0RF9CzW2eco0lY0xVd3hPc88D7VZ5Xw="; + stripLen = 1; + # tests not included in wheel + excludes = [ "tests/streamlit/components_test.py" ]; + }) + ]; + # extract wheel, run normal patch phase, repack wheel. + # effectively a "wheelPatchPhase". not a normal thing + # to do but needs must. + patchPhase = '' + wheelFile="$(realpath -s dist/*.whl)" + pushd "$(mktemp -d)" + + unzip -q "$wheelFile" + + patchPhase + + newZip="$(mktemp -d)"/new.zip + zip -rq "$newZip" * + rm -rf "$wheelFile" + cp "$newZip" "$wheelFile" + + popd + ''; + + nativeBuildInputs = [ unzip zip ]; + propagatedBuildInputs = [ altair astor |