Update dependency azure-storage-blob to v12.13.0 [SECURITY]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
azure-storage-blob (source)	==12.4.0 -> ==12.13.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-30187

Summary

The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode.

Severity

Moderate - The vulnerability poses insider risks/privilege escalation risks, circumventing controls for stored data.

Further Analysis

The Java Azure Blob Storage Encryption SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the container in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.

This advisory describes the plaintext revealing vulnerabilities in the Java Azure Blob Storage Encryption SDK, with a similar issue in the other blob storage SDKs being present as well.

In the current version of the Azure Blob Storage crypto SDK, the only algorithm option that allows users to encrypt files is to AES-CBC, without computing a MAC on the data.

This exposes a padding oracle vulnerability: If the attacker has write access to the blob container bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) 128*length(plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.

Timeline

Date reported: March 29 2022
Date preview: June 16 2022
Date GA: July 11 2022
Date disclosed: July 17 2022

---

Release Notes

Azure/azure-sdk-for-python (azure-storage-blob)

v12.13.0

Compare Source

12.13.0 (2022-07-07)

Bugs Fixed

• Stable release of features from 12.13.0b1.
• Added support for deleting versions in delete_blobs by supplying version_id.

v12.12.0

Compare Source

12.12.0 (2022-05-09)

Features Added

• Stable release of features from 12.12.0b1.
• Added support for progress tracking to upload_blob() and download_blob() via a new optional callback,progress_hook.

Bugs Fixed:

• Fixed a bug in BlobClient.from_blob_url() such that users will receive a more helpful error
  message if they pass an incorrect URL without a full /container/blob path.
• Fixed a bug, introduced in the previous beta release, that caused Authentication errors when attempting to use
  an Account SAS with certain service level operations.

v12.11.0

Compare Source

12.11.0 (2022-03-29)

Warning This release involves a bug fix that may change the behavior for some users. In previous versions,
the tag parameter onBlobSasPermissions defaulted to True meaning a Blob SAS URL would include the t permission
by default. This was not the intended behavior. This release adjusts BlobSasPermission so the tag permission will
default to False, like all other permissions.

Bugs Fixed

• Fixed a bug in BlobSasPermissions where the tag permission had a default value of True and
  therefore was being added to the SAS token by default.

v12.10.0

Compare Source

12.10.0 (2022-03-08)

This version and all future versions will require Python 3.6+. Python 2.7 is no longer supported.

Stable release of preview features

• Added support for service version 2021-02-12, 2021-04-10.
• Account level SAS tokens now supports two new permissions:
  • permanent_delete
  • set_immutability_policy
• Encryption Scope is now supported for Sync Blob Copy (copy_from_url()).
• Encryption Scope is now supported as a SAS permission.
• Added support for blob names containing invalid XML characters.
  Previously \uFFFE and \uFFFF would fail if present in blob name.
• Added support for listing system containers with get_blob_containers().
• Added support for find_blobs_by_tags() on a container.
• Added support for Find (f) container SAS permission.

Bugs Fixed

• Added all missing Service SAS permissions.
• Fixed a bug that prevented upload_blob() from working with an OS pipe
  reader stream on Linux. (#​23131)

v12.9.0

Compare Source

12.9.0 (2021-09-15)

Stable release of preview features

• Added support for service version 2020-10-02 (STG78)
• Added support for object level immutability policy with versioning (Version Level WORM).
• Added support for listing deleted root blobs that have versions.
• Added OAuth support for sync copy blob source.

v12.8.1

Compare Source

12.8.1 (2021-04-20)

Fixes

• Fixed retry on large block upload
• Make AccountName, AccountKey etc. in conn_str case insensitive
• Fixed downloader.chunks() return chunks in different size (#​9419, #​15648)
• Enabled exists() for CPK encrypted blobs (#​18041)
• Fixed the ability to upload from a generator (#​17418)
• Fixed unclosed ThreadPoolExecutor (#​8955)
• Fixed retries for blob download streams (#​18164, #​17974, #​10572 (comment))
• Added chunk streaming docstrings and samples (#​17149, #​11009)
• Added retry for blob download (#​17974, #​10572)
• Fixed encryption algorithm hardcoded setting (#​17835)

v12.8.0

Compare Source

12.8.0 (2021-03-01)

Stable release of preview features

• Added ContainerClient.exists() method
• Added container SAS support for blob batch operations

Fixes

• Fixed delete_blob() method signature (#​15891)
• Fixed Content-MD5 throwing when passed (#​15919)

v12.7.1

Compare Source

12.7.1 (2021-01-20)

Fixes

• Fixed msrest dependency issue (#​16250)

v12.7.0

Compare Source

12.7.0 (2021-01-13)

Stable release of preview features

• Added upload_blob_from_url api on BlobClient.
• Added support for leasing blob when get/set tags, listing all tags when find blobs by tags.
• Added support for AzureSasCredential to allow SAS rotation in long living clients.

Fixes

• Fixed url parsing for blob emulator/localhost (#​15882)

v12.6.0

Compare Source

12.6.0 (2020-11-10)

Stable release of preview features

• Preview feature ArrowDialect as output format of query_blob
• Preview feature undelete_container on BlobServiceClient.
• Preview feature Last Access Time.

Fixes

• Fixed the expired Authorization token problem during retry (#​14701, #​14067)
• Catch exceptions thrown by async download (#​14319)

Notes

• Updated dependency azure-core from azure-core<2.0.0,>=1.6.0 to azure-core<2.0.0,>=1.9.0 to get continuation_token attr on AzureError.

v12.5.0

Compare Source

12.5.0 (2020-09-10)

New features

• Added support for checking if a blob exists using the exists method (#​13221).

Fixes

• Fixed source URLs special characters issue. Users can now have special characters in their source URLs for copy_blob_from_url, upload_blob_from_url etc (#​13275).
• Fixed authorization header on asyncio requests containing url-encoded-able characters (#​11028).
• Fixed SAS credentials URL malformation when using local Azurite container (#​11941).
• Fixed issue with permission string causing an authentication failure (#​13099).
• Support for returning snapshot value in get_blob_properties response (#​13287).

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.