Upgrade to Flask 3.1.3 and fix other security vulnerabilities

Dockerfile

@@ -45,8 +45,23 @@ EXPOSE 5000
 
 RUN useradd --create-home redash
 
-# Ubuntu packages
+# Add Debian trixie-security and trixie-updates repositories so we get the latest
+# security fixes and stable point updates at build time.
+# trixie-proposed-updates is kept for opt-in pre-release fixes already in flight.
+RUN set -eux; \
+  printf 'deb http://deb.debian.org/debian-security trixie-security main\n' \
+    > /etc/apt/sources.list.d/trixie-security.list; \
+  printf 'deb http://deb.debian.org/debian trixie-updates main\n' \
+    > /etc/apt/sources.list.d/trixie-updates.list; \
+  printf 'deb http://deb.debian.org/debian trixie-proposed-updates main\n' \
+    > /etc/apt/sources.list.d/trixie-proposed-updates.list
+
+# Apply security archive first (forces -t trixie-security so the security pocket wins),
+# then a general upgrade for stable point updates, then install build dependencies.
 RUN apt-get update && \
+  DEBIAN_FRONTEND=noninteractive apt-get -y -t trixie-security upgrade && \
+  DEBIAN_FRONTEND=noninteractive apt-get -y -t trixie-updates upgrade && \
+  DEBIAN_FRONTEND=noninteractive apt-get -y upgrade && \
   apt-get install -y --no-install-recommends \
   pkg-config \
   curl \
@@ -97,10 +112,12 @@ EOF
 
 WORKDIR /app
 
-ENV POETRY_VERSION=2.1.4
+ENV POETRY_VERSION=2.4.1
 ENV POETRY_HOME=/etc/poetry
 ENV POETRY_VIRTUALENVS_CREATE=false
-RUN curl -sSL --retry 3 --retry-delay 5 https://install.python-poetry.org | python3 -
+
+RUN python3 -m pip install --no-cache-dir --upgrade "pip>=26.1" "setuptools>=78.1.1" "wheel>=0.46.2" \
+  && curl -sSL --retry 3 --retry-delay 5 https://install.python-poetry.org | python3 -
 
 # Avoid crashes, including corrupted cache artifacts, when building multi-platform images with GitHub Actions.
 RUN /etc/poetry/bin/poetry cache clear pypi --all

client/.babelrc

@@ -13,13 +13,7 @@
   ],
   "plugins": [
     "@babel/plugin-transform-class-properties",
-    "@babel/plugin-transform-object-assign",
-    [
-      "babel-plugin-transform-builtin-extend",
-      {
-        "globals": ["Error"]
-      }
-    ]
+    "@babel/plugin-transform-object-assign"
   ],
   "env": {
     "test": {

client/app/components/dashboards/TextboxDialog.jsx

@@ -1,5 +1,5 @@
 import { toString } from "lodash";
-import { markdown } from "markdown";
+import { marked } from "marked";
 import React, { useState, useEffect, useCallback } from "react";
 import PropTypes from "prop-types";
 import { useDebouncedCallback } from "use-debounce";
@@ -20,11 +20,11 @@ function TextboxDialog({ dialog, isNew, ...props }) {
 
   useEffect(() => {
     setText(props.text);
-    setPreview(markdown.toHTML(props.text));
+    setPreview(marked.parse(props.text || ""));
   }, [props.text]);
 
   const [updatePreview] = useDebouncedCallback(() => {
-    setPreview(markdown.toHTML(text));
+    setPreview(marked.parse(text || ""));
   }, 200);
 
   const handleInputChange = useCallback(

client/app/components/dashboards/dashboard-widget/TextboxWidget.jsx

@@ -1,6 +1,6 @@
 import React, { useState } from "react";
 import PropTypes from "prop-types";
-import { markdown } from "markdown";
+import { marked } from "marked";
 import Menu from "antd/lib/menu";
 import HtmlContent from "@redash/viz/lib/components/HtmlContent";
 import TextboxDialog from "@/components/dashboards/TextboxDialog";
@@ -32,7 +32,7 @@ function TextboxWidget(props) {
 
   return (
     <Widget {...props} menuOptions={canEdit ? TextboxMenuOptions : null} className="widget-text">
-      <HtmlContent className="body-row-auto scrollbox t-body p-15 markdown">{markdown.toHTML(text || "")}</HtmlContent>
+      <HtmlContent className="body-row-auto scrollbox t-body p-15 markdown">{marked.parse(text || "")}</HtmlContent>
     </Widget>
   );
 }

client/app/components/dashboards/dashboard-widget/VisualizationWidget.jsx

@@ -1,7 +1,7 @@
 import React, { useState } from "react";
 import PropTypes from "prop-types";
 import { compact, isEmpty, invoke, map } from "lodash";
-import { markdown } from "markdown";
+import { marked } from "marked";
 import cx from "classnames";
 import Menu from "antd/lib/menu";
 import HtmlContent from "@redash/viz/lib/components/HtmlContent";
@@ -107,7 +107,7 @@ function VisualizationWidgetHeader({
           </p>
           {!isEmpty(widget.getQuery().description) && (
             <HtmlContent className="text-muted markdown query--description">
-              {markdown.toHTML(widget.getQuery().description || "")}
+              {marked.parse(widget.getQuery().description || "")}
             </HtmlContent>
           )}
         </div>

client/app/pages/queries/VisualizationEmbed.jsx

@@ -2,7 +2,7 @@ import { find, has } from "lodash";
 import React, { useState, useEffect, useCallback } from "react";
 import PropTypes from "prop-types";
 import moment from "moment";
-import { markdown } from "markdown";
+import { marked } from "marked";
 
 import Button from "antd/lib/button";
 import Dropdown from "antd/lib/dropdown";
@@ -40,7 +40,7 @@ function VisualizationEmbedHeader({ queryName, queryDescription, visualization }
         <VisualizationName visualization={visualization} /> {queryName}
         {queryDescription && (
           <small>
-            <HtmlContent className="markdown text-muted">{markdown.toHTML(queryDescription || "")}</HtmlContent>
+            <HtmlContent className="markdown text-muted">{marked.parse(queryDescription || "")}</HtmlContent>
           </small>
         )}
       </h3>

client/cypress/cypress.js

@@ -1,10 +1,8 @@
 /* eslint-disable import/no-extraneous-dependencies, no-console */
-const { find } = require("lodash");
+const axios = require("axios");
 const { execSync } = require("child_process");
-const { get, post } = require("request").defaults({ jar: true });
-const { seedData } = require("./seed-data");
 const fs = require("fs");
-var Cookie = require("request-cookies").Cookie;
+const { seedData } = require("./seed-data");
 
 let cypressConfigBaseUrl;
 try {
@@ -14,31 +12,76 @@ try {
 
 const baseUrl = process.env.CYPRESS_baseUrl || cypressConfigBaseUrl || "http://localhost:5001";
 
-function seedDatabase(seedValues) {
-  get(baseUrl + "/login", (_, { headers }) => {
-    const request = seedValues.shift();
-    const data = request.type === "form" ? { formData: request.data } : { json: request.data };
-
-    if (headers["set-cookie"]) {
-      const cookies = headers["set-cookie"].map((cookie) => new Cookie(cookie));
-      const csrfCookie = find(cookies, { key: "csrf_token" });
-      if (csrfCookie) {
-        if (request.type === "form") {
-          data["formData"] = { ...data["formData"], csrf_token: csrfCookie.value };
-        } else {
-          data["headers"] = { "X-CSRFToken": csrfCookie.value };
-        }
-      }
-    }
+// Minimal cookie jar (avoids deprecated `request` / `request-cookies` packages).
+function parseSetCookieHeader(setCookieHeaders) {
+  const jar = {};
+  if (!setCookieHeaders) return jar;
+  const headers = Array.isArray(setCookieHeaders) ? setCookieHeaders : [setCookieHeaders];
+  for (const header of headers) {
+    const [pair] = header.split(";");
+    const idx = pair.indexOf("=");
+    if (idx === -1) continue;
+    const name = pair.slice(0, idx).trim();
+    const value = pair.slice(idx + 1).trim();
+    if (name) jar[name] = value;
+  }
+  return jar;
+}
 
-    post(baseUrl + request.route, data, (err, response) => {
-      const result = response ? response.statusCode : err;
-      console.log("POST " + request.route + " - " + result);
-      if (seedValues.length) {
-        seedDatabase(seedValues);
-      }
+function cookieJarToHeader(jar) {
+  return Object.entries(jar)
+    .map(([k, v]) => `${k}=${v}`)
+    .join("; ");
+}
+
+function buildFormBody(data) {
+  return Object.entries(data)
+    .map(([k, v]) => `${encodeURIComponent(k)}=${encodeURIComponent(v)}`)
+    .join("&");
+}
+
+async function seedDatabase(seedValues) {
+  let cookieJar = {};
+  try {
+    const loginResp = await axios.get(`${baseUrl}/login`, {
+      maxRedirects: 0,
+      validateStatus: () => true,
     });
-  });
+    cookieJar = parseSetCookieHeader(loginResp.headers["set-cookie"]);
+  } catch (err) {
+    console.log(`GET /login failed: ${err.message}`);
+  }
+
+  const csrfToken = cookieJar.csrf_token;
+
+  for (const request of seedValues) {
+    const isForm = request.type === "form";
+    const headers = { Cookie: cookieJarToHeader(cookieJar) };
+
+    let body;
+    if (isForm) {
+      const formData = csrfToken ? { ...request.data, csrf_token: csrfToken } : { ...request.data };
+      body = buildFormBody(formData);
+      headers["Content-Type"] = "application/x-www-form-urlencoded";
+    } else {
+      body = request.data;
+      headers["Content-Type"] = "application/json";
+      if (csrfToken) headers["X-CSRFToken"] = csrfToken;
+    }
+
+    try {
+      const response = await axios.post(`${baseUrl}${request.route}`, body, {
+        headers,
+        maxRedirects: 0,
+        validateStatus: () => true,
+      });
+      console.log(`POST ${request.route} - ${response.status}`);
+      const newCookies = parseSetCookieHeader(response.headers["set-cookie"]);
+      cookieJar = { ...cookieJar, ...newCookies };
+    } catch (err) {
+      console.log(`POST ${request.route} - ${err.message}`);
+    }
+  }
 }
 
 function buildServer() {
@@ -75,38 +118,40 @@ function runCypressCI() {
 
 const command = process.argv[2] || "all";
 
-switch (command) {
-  case "build":
-    buildServer();
-    break;
-  case "start":
-    startServer();
-    if (!process.argv.includes("--skip-db-seed")) {
-      seedDatabase(seedData);
-    }
-    break;
-  case "db-seed":
-    seedDatabase(seedData);
-    break;
-  case "run":
-    execSync("cypress run", { stdio: "inherit" });
-    break;
-  case "open":
-    execSync("cypress open", { stdio: "inherit" });
-    break;
-  case "run-ci":
-    runCypressCI();
-    break;
-  case "stop":
-    stopServer();
-    break;
-  case "all":
-    startServer();
-    seedDatabase(seedData);
-    execSync("cypress run", { stdio: "inherit" });
-    stopServer();
-    break;
-  default:
-    console.log("Usage: pnpm run cypress [build|start|db-seed|open|run|stop]");
-    break;
-}
+(async () => {
+  switch (command) {
+    case "build":
+      buildServer();
+      break;
+    case "start":
+      startServer();
+      if (!process.argv.includes("--skip-db-seed")) {
+        await seedDatabase(seedData);
+      }
+      break;
+    case "db-seed":
+      await seedDatabase(seedData);
+      break;
+    case "run":
+      execSync("cypress run", { stdio: "inherit" });
+      break;
+    case "open":
+      execSync("cypress open", { stdio: "inherit" });
+      break;
+    case "run-ci":
+      runCypressCI();
+      break;
+    case "stop":
+      stopServer();
+      break;
+    case "all":
+      startServer();
+      await seedDatabase(seedData);
+      execSync("cypress run", { stdio: "inherit" });
+      stopServer();
+      break;
+    default:
+      console.log("Usage: pnpm run cypress [build|start|db-seed|open|run|stop]");
+      break;
+  }
+})();