Update to Jinja2 2.10.1

[kinow]

Close #3114

Updates to Jinja2 2.10.1.

[kinow]

Oh, bad news. Jinja 2.10.1 with the security fix is Python 3 only apparently. They added asyncio support (see build failure). I tried to remove the two files that add async support, but they are mentioned in environment.py and in another file.

So I think 7.8.x will have to go out with the dependency that had the CVE. And in that case this PR can be closed 😕

[hjoliver]

Oh, bad news. Jinja 2.10.1 with the security fix is Python 3 only apparently.

Can we argue (as I think you did @kinow, in your initial email about this problem) that the CVE does not pose any additional risk in the Cylc context? And if so, will that satisfy your colleagues @MartinRyan? (Well, it'll have to ... I don't see we have much choice here).

[kinow]

Can we argue (as I think you did @kinow, in your initial email about this problem) that the CVE does not pose any additional risk in the Cylc context?

I think so. I tried one different scenario, where a user A would have access to Cylc Review, and then create suites and tasks with malicious names. But that did not work, and even if worked, it would give him access to the Cylc operating system, under Cylc's user account... which he already has anyway.

I was concerned only if I could modify something in the web layer through the exploit (e.g. steal cookies, inject JS), but I didn't find an easy way to exploit it.

So +1 from me

(also found several issues in Cylc Review while testing it with special characters...)