From 8a51cd5de7a4de503aa3d377a88fd4d7c3042395 Mon Sep 17 00:00:00 2001
From: pacnpal <183241239+pacnpal@users.noreply.github.com>
Date: Fri, 9 Jan 2026 08:10:01 -0500
Subject: [PATCH] security: Fix 17 Dependabot vulnerabilities

## Security Patches Applied

### Critical
- **Django SQL injection via _connector keyword** (CVE-2024-xxxx)
  - Upgraded Django from 5.2.8 to 5.2.9

### High
- **urllib3 decompression-bomb safeguards bypassed** (streaming API)
  - Added explicit urllib3>=2.6.3 dependency
- **urllib3 streaming API improperly handles highly compressed data**
- **urllib3 unbounded links in decompression chain**
- **Django DoS in HttpResponseRedirect on Windows**
- **Django SQL injection in column aliases**

### Medium
- **django-allauth Okta/NetIQ mutable identifier** for authorization
  - Upgraded django-allauth from 65.9.0 to 65.13.0
- **django-allauth accepts tokens for inactive users**
- **Django DoS via XML serializer text extraction**
- **Django SQL injection in column aliases (additional fix)**
- **requests .netrc credentials leak via malicious URLs**
  - Upgraded requests from 2.32.3 to 2.32.4
- **Django Improper Output Neutralization for Logs**
- **Django DoS in strip_tags()**
- **Django DoS on Windows**
- **Django Allocation of Resources Without Limits**
- **Django IPv6 validation DoS**
- **Django SQL injection in HasKey on Oracle**
- **Django DoS in strip_tags() (additional fix)**

### Low
- **Django partial directory traversal via archives**

## Dependency Changes
- django: 5.2.8 -> 5.2.9
- django-allauth: 65.9.0 -> 65.13.1
- requests: 2.32.3 -> 2.32.5
- urllib3: (transitive) -> 2.6.3 (explicit)
---
 backend/pyproject.toml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index 69eea17d..bac28f3d 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -7,7 +7,7 @@ dependencies = [
     # =============================================================================
     # Core Django
     # =============================================================================
-    "django>=5.2.8",
+    "django>=5.2.9",
     "psycopg2-binary>=2.9.9",
     "dj-database-url>=2.3.0",
     "python-dotenv>=1.0.1",
@@ -23,7 +23,7 @@ dependencies = [
     # =============================================================================
     # Authentication & Security
     # =============================================================================
-    "django-allauth>=65.9.0",
+    "django-allauth>=65.13.0",
     "djangorestframework-simplejwt>=5.5.1",
     "pyjwt>=2.10.1",
     "cryptography>=44.0.0",
@@ -69,7 +69,8 @@ dependencies = [
     # =============================================================================
     # Utilities
     # =============================================================================
-    "requests>=2.32.3",
+    "requests>=2.32.4",
+    "urllib3>=2.6.3",
     "pycountry>=24.6.1",
     "django-extensions>=4.1",
     "werkzeug>=3.1.3",