[BB2-1029] Bump Django 2.2.24 To 2.2.25 To Mediate Vuln (Access Restriction Bypass)

[JFU-GIT]

JIRA Ticket:
BB2-1029

User Story or Bug Summary:

Weekly security audit Snyk scan reported one medium vuln:

details are shown below:

django Access Restriction Bypass

VULNERABILITY
CWE-284
CVE-2021-44420
CVSS 5.3 MEDIUM

SNYK-PYTHON-DJANGO-2312875

SCORE
551

Introduced through
[email protected], [email protected] and others
Fixed in
[email protected], @3.1.14, @3.2.10
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths and remediation
Introduced through: [email protected] › [email protected]
Fix: Upgrade django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: [email protected] › [email protected] › [email protected]
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
Introduced through: [email protected] › [email protected] › [email protected]
Fix: Pin django to version 2.2.25 or 3.1.14 or 3.2.10
…and 9 more

Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.

Affected versions of this package are vulnerable to Access Restriction Bypass. HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.

It is desirable to fix this - upgrade django from 2.2.24 to 2.2.25

• What group is this impacting? (Bold one)
  ** BB2 Developers
  ** 3rd Party apps
  ** Environment
  ** Benes
  ** * All above *
• What’s the reason/benefit to doing this work?
  ** BB2 Security practice
• Is there an immediate need or time concern with this work?
  ** Yes, vulnerability needs to be addressed asap
  **

AC:

Django upgraded to 2.2.25

Pass all tests: unittests, integration tests, selenium tests

What Does This PR Do?

Upgrade Django from 2.2.24 to 2.2.25

What Should Reviewers Watch For?

If you're reviewing this PR, please check these things, in particular:

• TODO

What Security Implications Does This PR Have?

Submitters should complete the following questionnaire:

• If the answer to any of the questions below is Yes, then here's a link to the associated Security Impact Assessment (SIA), security checklist, or other similar document in Confluence: N/A.
  • Does this PR add any new software dependencies? No.
  • Does this PR modify or invalidate any of our security controls? No.
  • Does this PR store or transmit data that was not stored or transmitted before? No.
• If the answer to any of the questions below is Yes, then please add StewGoin as a reviewer, and note that this PR should not be merged unless/until he also approves it.
  • Do you think this PR requires additional review of its security implications for other reasons? No.

What Needs to Be Merged and Deployed Before this PR?

This PR cannot be either merged or deployed until the following pre-requisite changes have been fully deployed:

• CMSgov/some_repo#42

Any Migrations?

• Yes, there are migrations
  • The migrations should be run PRIOR to the code being deployed
  • The migrations should be run AFTER the code is deployed
  • There is a more complicated migration plan (downtime, etc)
• No migrations

Submitter Checklist

I have gone through and verified that...:

• This PR is reasonably limited in scope, to help ensure that:
  1. It doesn't unnecessarily tie a bunch of disparate features, fixes, refactorings, etc. together.
  2. There isn't too much of a burden on reviewers.
  3. Any problems it causes have a small "blast radius".
  4. It'll be easier to rollback if that becomes necessary.
• I have named this PR and its branch such that they'll be automatically be linked to the (most) relevant Jira issue, per: https://confluence.atlassian.com/adminjiracloud/integrating-with-development-tools-776636216.html.
• This PR includes any required documentation changes, including README updates and changelog / release notes entries.
• All new and modified code is appropriately commented, such that the what and why of its design would be reasonably clear to engineers, preferably ones unfamiliar with the project.
• All tech debt and/or shortcomings introduced by this PR are detailed in TODO and/or FIXME comments, which include a JIRA ticket ID for any items that require urgent attention.
• Reviews are requested from both:
  • At least two other engineers on this project, at least one of whom is a senior engineer or owns the relevant component(s) here.
  • Any relevant engineers on other projects (e.g. BFD, SLS, etc.).
• Any deviations from the other policies in the DASG Engineering Standards are specifically called out in this PR, above.
  • Please review the standards every few months to ensure you're familiar with them.

[oragame]

LGTM!