security: replace advocate with champion and upgrade urllib3 to 2.x

[wtfiwtz]

Summary

Replace the deprecated advocate library with champion (modern fork) and upgrade urllib3 to 2.x. SSRF protection is now opt-in via the champion package.

Changes

• Remove advocate from core dependencies (unmaintained, blocks urllib3 2.x)
• urllib3: 1.26.19 → 2.7.0
• boto3: 1.28.8 → 1.43.7 (botocore 1.31.x pinned urllib3 <1.27, blocking upgrade)
• botocore: 1.31.8 → 1.43.7
• Add transitive dependencies: azure-core, grpcio, h11, httpcore, marshmallow
• Add optional [tool.poetry.group.ssrf] with champion pinned to git rev 74cf301
• Change ENFORCE_PRIVATE_ADDRESS_BLOCK default: true → false
• SSRF protection now requires explicit opt-in + champion install

Code Changes

• Replace requests_or_advocate → requests_or_champion throughout
• Conditional champion import with helpful error message when unavailable
• Update imports in query_runner/__init__.py, csv.py, excel.py
• Update settings/__init__.py with new default and documentation
• Update tests/query_runner/test_http.py

CVEs Addressed

• CVE-2023-43804 (urllib3): Cookie header injection
• CVE-2024-37891 (urllib3): Proxy-authorization header leak on redirect
• Multiple urllib3 1.26.x → 2.x security fixes through 2.7.0

SSRF Protection (Now Opt-In)

To enable SSRF protection:

1. Set REDASH_ENFORCE_PRIVATE_IP_BLOCK=true
2. Install champion:
   • Via Poetry: poetry install --with ssrf
   • Or: pip install git+https://github.com/Gee19/champion.git

Breaking Changes

⚠️ SSRF protection is now OFF by default (was ON with advocate)

Why:

• The advocate library is unmaintained and blocks urllib3 2.x upgrade (requires urllib3 <2.0)
• champion is a modern fork that supports urllib3 2.x but is not yet stable (no PyPI release, pinned to git commit)
• Making it opt-in reduces risk while allowing the security upgrade

Impact:

• Deployments that relied on advocate being always installed with blocking enabled by default must explicitly:
  1. Set REDASH_ENFORCE_PRIVATE_IP_BLOCK=true
  2. Install champion: poetry install --with ssrf (or add ssrf to Dockerfile install_groups)

Testing

• ✅ Python tests pass
• ✅ Frontend tests pass
• ✅ poetry lock regenerates successfully

Dependencies

• Requires PR security: upgrade requests to 2.33.0 #7744 (requests 2.33.0) for alignment with boto3 1.43.x
• Supersedes PR security: upgrade urllib3 to 2.7.0 and AWS SDK for compatibility #7745 (which temporarily removed advocate) - this PR completes the work

Release Notes

• urllib3: https://github.com/urllib3/urllib3/releases/tag/2.7.0
• boto3: https://github.com/boto/boto3/releases/tag/1.43.7
• champion: https://github.com/Gee19/champion

Made with Cursor