From d9dfa98819167ce09c6e3e3be882e7ed43be96db Mon Sep 17 00:00:00 2001
From: David Dashyan <mail@davie.li>
Date: Tue, 2 Jun 2020 07:36:56 +0000
Subject: [PATCH] Flask update (#2700)

* Flask security update

The Pallets Project Flask before 1.0 is affected by: unexpected memory
usage. The impact is: denial of service.
The attack vector is: crafted encoded JSON data. The fixed version is:
1. NOTE: this may overlap CVE-2018-1000656.

Signed-off-by: David Dashyan <mail@davie.li>

* Make send_naughty_tx error regex more robust

Signed-off-by: David Dashyan <mail@davie.li>
---
 acceptance/python/src/test_naughty_strings.py | 5 +++--
 setup.py                                      | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/acceptance/python/src/test_naughty_strings.py b/acceptance/python/src/test_naughty_strings.py
index 35746bc9..92acd066 100644
--- a/acceptance/python/src/test_naughty_strings.py
+++ b/acceptance/python/src/test_naughty_strings.py
@@ -68,8 +68,9 @@ def send_naughty_tx(asset, metadata):
         error = sent_transaction.error
         regex = (
             r'\{\s*\n*'
-            r'\s*"message": "Invalid transaction \(ValidationError\): Invalid key name.*The key name cannot contain characters.*\n*' # noqa
-            r'\s*"status": 400\n*'
+            r'\s*"message":\s*"Invalid transaction \(ValidationError\):\s*'
+            r'Invalid key name.*The key name cannot contain characters.*\n*'
+            r'\s*"status":\s*400\n*'
             r'\s*\}\n*')
         assert status_code == 400
         assert re.fullmatch(regex, error), sent_transaction
diff --git a/setup.py b/setup.py
index 27c5f091..eb73bc52 100644
--- a/setup.py
+++ b/setup.py
@@ -77,7 +77,7 @@ install_requires = [
     'cryptoconditions==0.8.0',
     'python-rapidjson~=0.6.0',
     'logstats~=0.2.1',
-    'flask~=0.12.4',
+    'flask==1.0.0',
     'flask-cors~=3.0.0',
     'flask-restful~=0.3.0',
     'requests~=2.20.0',