security(deps): update 🛡️ requests to v2.32.2 [security] (#30)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [requests](https://requests.readthedocs.io)
([source](https://togithub.com/psf/requests),
[changelog](https://togithub.com/psf/requests/blob/master/HISTORY.md)) |
`==2.28.2` -> `==2.32.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/requests/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/requests/2.28.2/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.28.2/2.32.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2023-32681](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)

### Impact

Since Requests v2.3.0, Requests has been vulnerable to potentially
leaking `Proxy-Authorization` headers to destination servers,
specifically during redirects to an HTTPS origin. This is a product of
how `rebuild_proxies` is used to recompute and [reattach the
`Proxy-Authorization`
header](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328)
to requests when redirected. Note this behavior has _only_ been observed
to affect proxied requests when credentials are supplied in the URL user
information component (e.g. `https://username:password@proxy:8080`).

**Current vulnerable behavior(s):**

1. HTTP → HTTPS: **leak**
2. HTTPS → HTTP: **no leak**
3. HTTPS → HTTPS: **leak**
4. HTTP → HTTP: **no leak**

For HTTP connections sent through the proxy, the proxy will identify the
header in the request itself and remove it prior to forwarding to the
destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into further tunneled requests. This results in
Requests forwarding the header to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
those credentials.

The reason this currently works for HTTPS connections in Requests is the
`Proxy-Authorization` header is also handled by urllib3 with our usage
of the ProxyManager in adapters.py with
[`proxy_manager_for`](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235).
This will compute the required proxy headers in `proxy_headers` and pass
them to the Proxy Manager, avoiding attaching them directly to the
Request object. This will be our preferred option going forward for
default usage.

### Patches
Starting in Requests v2.31.0, Requests will no longer attach this header
to redirects with an HTTPS destination. This should have no negative
impacts on the default behavior of the library as the proxy credentials
are already properly being handled by urllib3's ProxyManager.

For users with custom adapters, this _may_ be potentially breaking if
you were already working around this behavior. The previous
functionality of `rebuild_proxies` doesn't make sense in any case, so we
would encourage any users impacted to migrate any handling of
Proxy-Authorization directly into their custom adapter.

### Workarounds
For users who are not able to update Requests immediately, there is one
potential workaround.

You may disable redirects by setting `allow_redirects` to `False` on all
calls through Requests top-level APIs. Note that if you're currently
relying on redirect behaviors, you will need to capture the 3xx response
codes and ensure a new request is made to the redirect destination.
```
import requests
r = requests.get('http://github.com/', allow_redirects=False)
```

### Credits

This vulnerability was discovered and disclosed by the following
individuals.

Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, (tobiasfunke93@​gmail.com)

####
[CVE-2024-35195](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)

When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

---

### Unintended leak of Proxy-Authorization header in requests
[CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681) /
[GHSA-j8r2-6x86-q33q](https://togithub.com/advisories/GHSA-j8r2-6x86-q33q)
/ PYSEC-2023-74

<details>
<summary>More information</summary>

#### Details
##### Impact

Since Requests v2.3.0, Requests has been vulnerable to potentially
leaking `Proxy-Authorization` headers to destination servers,
specifically during redirects to an HTTPS origin. This is a product of
how `rebuild_proxies` is used to recompute and [reattach the
`Proxy-Authorization`
header](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/sessions.py#L319-L328)
to requests when redirected. Note this behavior has _only_ been observed
to affect proxied requests when credentials are supplied in the URL user
information component (e.g. `https://username:password@proxy:8080`).

**Current vulnerable behavior(s):**

1. HTTP → HTTPS: **leak**
2. HTTPS → HTTP: **no leak**
3. HTTPS → HTTPS: **leak**
4. HTTP → HTTP: **no leak**

For HTTP connections sent through the proxy, the proxy will identify the
header in the request itself and remove it prior to forwarding to the
destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into further tunneled requests. This results in
Requests forwarding the header to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
those credentials.

The reason this currently works for HTTPS connections in Requests is the
`Proxy-Authorization` header is also handled by urllib3 with our usage
of the ProxyManager in adapters.py with
[`proxy_manager_for`](https://togithub.com/psf/requests/blob/f2629e9e3c7ce3c3c8c025bcd8db551101cbc773/requests/adapters.py#L199-L235).
This will compute the required proxy headers in `proxy_headers` and pass
them to the Proxy Manager, avoiding attaching them directly to the
Request object. This will be our preferred option going forward for
default usage.

##### Patches
Starting in Requests v2.31.0, Requests will no longer attach this header
to redirects with an HTTPS destination. This should have no negative
impacts on the default behavior of the library as the proxy credentials
are already properly being handled by urllib3's ProxyManager.

For users with custom adapters, this _may_ be potentially breaking if
you were already working around this behavior. The previous
functionality of `rebuild_proxies` doesn't make sense in any case, so we
would encourage any users impacted to migrate any handling of
Proxy-Authorization directly into their custom adapter.

##### Workarounds
For users who are not able to update Requests immediately, there is one
potential workaround.

You may disable redirects by setting `allow_redirects` to `False` on all
calls through Requests top-level APIs. Note that if you're currently
relying on redirect behaviors, you will need to capture the 3xx response
codes and ensure a new request is made to the redirect destination.
```
import requests
r = requests.get('http://github.com/', allow_redirects=False)
```

##### Credits

This vulnerability was discovered and disclosed by the following
individuals.

Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, (tobiasfunke93@&#8203;gmail.com)

#### Severity
- CVSS Score: 6.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
-
[https://nvd.nist.gov/vuln/detail/CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681)
-
[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5](https://togithub.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)
- [https://github.com/psf/requests](https://togithub.com/psf/requests)
-
[https://github.com/psf/requests/releases/tag/v2.31.0](https://togithub.com/psf/requests/releases/tag/v2.31.0)
-
[https://github.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml](https://togithub.com/pypa/advisory-database/tree/main/vulns/requests/PYSEC-2023-74.yaml)
-
[https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html](https://lists.debian.org/debian-lts-announce/2023/06/msg00018.html)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ)
-
[https://security.gentoo.org/glsa/202309-08](https://security.gentoo.org/glsa/202309-08)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-j8r2-6x86-q33q) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681) /
[GHSA-j8r2-6x86-q33q](https://togithub.com/advisories/GHSA-j8r2-6x86-q33q)
/ PYSEC-2023-74

<details>
<summary>More information</summary>

#### Details
Requests is a HTTP library. Since Requests 2.3.0, Requests has been
leaking Proxy-Authorization headers to destination servers when
redirected to an HTTPS endpoint. This is a product of how we use
`rebuild_proxies` to reattach the `Proxy-Authorization` header to
requests. For HTTP connections sent through the tunnel, the proxy will
identify the header in the request itself and remove it prior to
forwarding to the destination server. However when sent over HTTPS, the
`Proxy-Authorization` header must be sent in the CONNECT request as the
proxy has no visibility into the tunneled request. This results in
Requests forwarding proxy credentials to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate
sensitive information. This issue has been patched in version 2.31.0.

#### Severity
Unknown

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
-
[https://github.com/psf/requests/releases/tag/v2.31.0](https://togithub.com/psf/requests/releases/tag/v2.31.0)
-
[https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5](https://togithub.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AW7HNFGYP44RT3DUDQXG2QT3OEV2PJ7Y/)

This data is provided by
[OSV](https://osv.dev/vulnerability/PYSEC-2023-74) and the [PyPI
Advisory Database](https://togithub.com/pypa/advisory-database) ([CC-BY
4.0](https://togithub.com/pypa/advisory-database/blob/main/LICENSE)).
</details>

---

### Requests `Session` object does not verify requests after making
first request with verify=False
[CVE-2024-35195](https://nvd.nist.gov/vuln/detail/CVE-2024-35195) /
[GHSA-9wx4-h78v-vm56](https://togithub.com/advisories/GHSA-9wx4-h78v-vm56)

<details>
<summary>More information</summary>

#### Details
When making requests through a Requests `Session`, if the first request
is made with `verify=False` to disable cert verification, all subsequent
requests to the same origin will continue to ignore cert verification
regardless of changes to the value of `verify`. This behavior will
continue for the lifecycle of the connection in the connection pool.

##### Remediation
Any of these options can be used to remediate the current issue, we
highly recommend upgrading as the preferred mitigation.

* Upgrade to `requests>=2.32.0`.
* For `requests<2.32.0`, avoid setting `verify=False` for the first
request to a host while using a Requests Session.
* For `requests<2.32.0`, call `close()` on `Session` objects to clear
existing connections if `verify=False` is used.

##### Related Links
*
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)

#### Severity
- CVSS Score: 5.6 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N`

#### References
-
[https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56](https://togithub.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56)
-
[https://nvd.nist.gov/vuln/detail/CVE-2024-35195](https://nvd.nist.gov/vuln/detail/CVE-2024-35195)
-
[https://github.com/psf/requests/pull/6655](https://togithub.com/psf/requests/pull/6655)
-
[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac](https://togithub.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac)
- [https://github.com/psf/requests](https://togithub.com/psf/requests)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYLSNK5TL46Q6XPRVMHVWS63MVJQOK4Q)
-
[https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ)

This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-9wx4-h78v-vm56) and the [GitHub
Advisory Database](https://togithub.com/github/advisory-database)
([CC-BY
4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>psf/requests (requests)</summary>

###
[`v2.32.2`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2322-2024-05-21)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.1...v2.32.2)

**Deprecations**

-   To provide a more stable migration for custom HTTPAdapters impacted
    by the CVE changes in 2.32.0, we've renamed `_get_connection` to
    a new public API, `get_connection_with_tls_context`. Existing custom
    HTTPAdapters will need to migrate their code to use this new API.
`get_connection` is considered deprecated in all versions of
Requests>=2.32.0.

A minimal (2-line) example has been provided in the linked PR to ease
migration, but we strongly urge users to evaluate if their custom
adapter
is subject to the same issue described in CVE-2024-35195.
([#&#8203;6710](https://togithub.com/psf/requests/issues/6710))

###
[`v2.32.1`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2321-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.32.0...v2.32.1)

**Bugfixes**

-   Add missing test certs to the sdist distributed on PyPI.

###
[`v2.32.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2320-2024-05-20)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.31.0...v2.32.0)

**Security**

- Fixed an issue where setting `verify=False` on the first request from
a
Session will cause subsequent requests to the *same origin* to also
ignore
    cert verification, regardless of the value of `verify`.

(GHSA-9wx4-h78v-vm56)

**Improvements**

-   `verify=True` now reuses a global SSLContext which should improve
request time variance between first and subsequent requests. It should
also minimize certificate load time on Windows systems when using a
Python
version built with OpenSSL 3.x.
([#&#8203;6667](https://togithub.com/psf/requests/issues/6667))
-   Requests now supports optional use of character detection
    (`chardet` or `charset_normalizer`) when repackaged or vendored.
    This enables `pip` and other projects to minimize their vendoring
    surface area. The `Response.text()` and `apparent_encoding` APIs
will default to `utf-8` if neither library is present.
([#&#8203;6702](https://togithub.com/psf/requests/issues/6702))

**Bugfixes**

-   Fixed bug in length detection where emoji length was incorrectly
calculated in the request content-length.
([#&#8203;6589](https://togithub.com/psf/requests/issues/6589))
- Fixed deserialization bug in JSONDecodeError.
([#&#8203;6629](https://togithub.com/psf/requests/issues/6629))
-   Fixed bug where an extra leading `/` (path separator) could lead
urllib3 to unnecessarily reparse the request URI.
([#&#8203;6644](https://togithub.com/psf/requests/issues/6644))

**Deprecations**

- Requests has officially added support for CPython 3.12
([#&#8203;6503](https://togithub.com/psf/requests/issues/6503))
- Requests has officially added support for PyPy 3.9 and 3.10
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))
- Requests has officially dropped support for CPython 3.7
([#&#8203;6642](https://togithub.com/psf/requests/issues/6642))
- Requests has officially dropped support for PyPy 3.7 and 3.8
([#&#8203;6641](https://togithub.com/psf/requests/issues/6641))

**Documentation**

-   Various typo fixes and doc improvements.

**Packaging**

-   Requests has started adopting some modern packaging practices.
The source files for the projects (formerly `requests`) is now located
in `src/requests` in the Requests sdist.
([#&#8203;6506](https://togithub.com/psf/requests/issues/6506))
- Starting in Requests 2.33.0, Requests will migrate to a PEP 517 build
system
using `hatchling`. This should not impact the average user, but
extremely old
versions of packaging utilities may have issues with the new packaging
format.

###
[`v2.31.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2310-2023-05-22)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.30.0...v2.31.0)

**Security**

- Versions of Requests between v2.3.0 and v2.30.0 are vulnerable to
potential
forwarding of `Proxy-Authorization` headers to destination servers when
    following HTTPS redirects.

When proxies are defined with user info
(`https://user:pass@proxy:8080`), Requests
will construct a `Proxy-Authorization` header that is attached to the
request to
    authenticate with the proxy.

In cases where Requests receives a redirect response, it previously
reattached
the `Proxy-Authorization` header incorrectly, resulting in the value
being
sent through the tunneled connection to the destination server. Users
who rely on
defining their proxy credentials in the URL are *strongly* encouraged to
upgrade
to Requests 2.31.0+ to prevent unintentional leakage and rotate their
proxy
    credentials once the change has been fully deployed.

Users who do not use a proxy or do not supply their proxy credentials
through
the user information portion of their proxy URL are not subject to this
    vulnerability.

Full details can be read in our [Github Security
Advisory](https://togithub.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q)
and [CVE-2023-32681](https://nvd.nist.gov/vuln/detail/CVE-2023-32681).

###
[`v2.30.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2300-2023-05-03)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.29.0...v2.30.0)

**Dependencies**

-   ⚠️ Added support for urllib3 2.0. ⚠️

This may contain minor breaking changes so we advise careful testing and
reviewing
https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html
    prior to upgrading.

    Users who wish to stay on urllib3 1.x can pin to `urllib3<2`.

###
[`v2.29.0`](https://togithub.com/psf/requests/blob/HEAD/HISTORY.md#2290-2023-04-26)

[Compare
Source](https://togithub.com/psf/requests/compare/v2.28.2...v2.29.0)

**Improvements**

- Requests now defers chunked requests to the urllib3 implementation to
improve
standardization.
([#&#8203;6226](https://togithub.com/psf/requests/issues/6226))
- Requests relaxes header component requirements to support bytes/str
subclasses.
([#&#8203;6356](https://togithub.com/psf/requests/issues/6356))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/DelineaXPM/python-dsv-sdk).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJzZWN1cml0eSJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

requirements.txt

@@ -1,4 +1,4 @@
-requests==2.28.2
+requests==2.32.2
 tox
 pytest
 python-dotenv