Unicorn-binance-websocket-api

Added
- `clear_asyncio_queue()`
Changed
- Made the logic of `is_exchange_type()` better readable.
- Type of parameter `stream_buffer_name` in all methods.
Fixed
- `get_latest_version()` KeyError.
Removed
- Obsolete import `from __future__ import print_function` in `sockets.py`.

Fixed
- Stream Data is always returned in `raw_data` format. [issue380](https://github.com/LUCIT-Systems-and-Development/unicorn-binance-websocket-api/issues/380)

Added
- Parameter `footer` to `print_summary()`, `print_summary_to_png()` and `print_stream_info()`
Changed
- Improved text of `MaximumSubscriptionsExceeded` exception.
- Updated description text in all files.
Fixed
- Import in `licensing_manager.py`.
- Type of global `logger` and `connect` variable.
Security
- Set higher minimum version `2.31.0` for `requests`, as vulnerabilities were found in earlier versions:
- CVE-2023-32681, Score: 6.1 (Medium)
- Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when
redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the
`Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify
the header in the request itself and remove it prior to forwarding to the destination server. However when sent
over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility
into the tunneled request. This results in Requests forwarding proxy credentials to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects
versions 2.3.0 through 2.30.0.
- https://devhub.checkmarx.com/cve-details/CVE-2023-32681/
- Set higher minimum version `2.5.1` for `unicorn-binance-rest-api` are affected by vulnerabilities in used dependencies!
- Dependency `certifi`:
- CVE-2023-37920, Score: 9.8 (High)
- Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while
verifying the identity of TLS hosts. Certifi 1.0.1 through 2023.5.7 recognizes "e-Tugra" root certificates.
e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their
systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
- https://devhub.checkmarx.com/cve-details/CVE-2023-37920/
- Dependency `cryptography`:
- CVE-2023-38325, Score: 7.5 (High)
- The cryptography package versions prior to 41.0.2 for Python mishandles SSH certificates that have critical
options.
- https://devhub.checkmarx.com/cve-details/CVE-2023-38325/
- CVE-2023-49083, Score: 7.5 (High)
- Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling
`load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and
segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application
attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system
availability and stability. This issue affects versions 3.1 through 41.0.5.
- https://devhub.checkmarx.com/cve-details/CVE-2023-49083/
- CVE-2023-50782, Score: 7.5 (High)
- A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote
attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of
confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
- https://devhub.checkmarx.com/cve-details/CVE-2023-50782/
- CVE-2024-26130, Score: 7.5 (High)
- cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting
in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a
certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash`
set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur,
crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError`
is properly raised.
- https://devhub.checkmarx.com/cve-details/CVE-2024-26130/
- Dependency `requests`:
- CVE-2023-32681, Score: 6.1 (Medium)
- Requests is a HTTP library. Requests has been leaking Proxy-Authorization headers to destination servers when
redirected to an HTTPS endpoint. This is a product of how we use `rebuild_proxies` to reattach the
`Proxy-Authorization` header to requests. For HTTP connections sent through the tunnel, the proxy will identify
the header in the request itself and remove it prior to forwarding to the destination server. However when sent
over HTTPS, the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has no visibility
into the tunneled request. This results in Requests forwarding proxy credentials to the destination server
unintentionally, allowing a malicious actor to potentially exfiltrate sensitive information. This issue affects
versions 2.3.0 through 2.30.0.
- https://devhub.checkmarx.com/cve-details/CVE-2023-32681/

Added
- Exception `MaximumSubscriptionsExceeded` thrown by `subscribe_to_stream()`.
- `print_summary()` and `print_stream_info()` now display `binance_api_status_code` in color! Green at 200 otherwise red.
Changed
- `subscribe_to_stream()` now throws the exception `MaximumSubscriptionsExceeded` instand of returning `False` if
the number of allowed subscriptions per stream is exceeded.
Fixed
- Typing of `create_stream()` parameters.
- Type of parameter `stream_label` in `get_stream_id_by_label()`.
- Type of first return variable in `restclient.get_listen_key()`.
- Typo in `is_update_availabe_unicorn_fy()` to `is_update_available_unicorn_fy()`.
- Typo in `is_update_availabe_check_command()` to `is_update_available_check_command()`.
- A couple of small text typos.

Added
- Better Logging to investigate [issue374](https://github.com/LUCIT-Systems-and-Development/unicorn-binance-websocket-api/issues/374)
- `send_with_stream()` - Send a payload with a specific stream.
- Since UBWA is delivered as a compiled C extension, IDEs such as Pycharm and Visual Code cannot use information about
available methods, parameters and their types for autocomplete and other intellisense functions. As a solution, from
now on stub files (PYI) will be created in the build process and attached to the packages. The IDEs can automatically
obtain the required information from these.
Changed
- Replaced all calls of `add_payload_to_stream()` in `manager.py`, `api.py` with `send_with_stream()`.
- Calling `set_socket_is_not_ready()` in `sockets.__aexit__()`.
- Consistent use of `stream_list_lock` and replacement of `stream_threading_lock` by `stream_list_lock` in `manager.py`.