Skip to content

Commit aa1bbd1

Browse files
Merge branch 'main' into docs-clenaup
2 parents 2902474 + df29f83 commit aa1bbd1

45 files changed

Lines changed: 609 additions & 205 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/SECURITY.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
# Security Policy
2+
3+
Slack takes the security of its software and services seriously, including all open-source repositories managed through the [slackapi](https://github.com/slackapi) GitHub organization.
4+
5+
## Reporting a Vulnerability
6+
7+
**Do NOT report security vulnerabilities through public GitHub issues, pull requests, or discussions.**
8+
9+
If you believe you have found a security vulnerability in `slack-bolt`, please report it through the Slack bug bounty program on HackerOne:
10+
11+
**<https://hackerone.com/slack>**
12+
13+
Even if `slack-bolt` is not explicitly listed as an in-scope asset on the HackerOne program page, reports for vulnerabilities in this package should still be submitted there. The Slack security team triages reports for all `slackapi` open-source repositories through this program.
14+
15+
If HackerOne is inaccessible, you may alternatively report the issue to [security@salesforce.com](mailto:security@salesforce.com).
16+
17+
Please do not discuss potential vulnerabilities in public without first coordinating with the security team.
18+
19+
## What to Include
20+
21+
To help us triage and respond quickly, please include:
22+
23+
- Type of vulnerability (e.g., signature bypass, token leakage, denial of service)
24+
- Affected version(s) of `slack-bolt`
25+
- Step-by-step reproduction instructions
26+
- Proof-of-concept code or payloads, if available
27+
- Impact assessment: what an attacker could achieve
28+
- Any specific configuration required to trigger the vulnerability
29+
- Affected source file paths, if known
30+
31+
## Threat Model
32+
33+
Bolt for Python is a framework that sits between the Slack platform and developer application code. Its security boundary covers the integrity and confidentiality of that interface.
34+
35+
### In Scope
36+
37+
The following are considered framework vulnerabilities:
38+
39+
- Bypass of request signature verification (HMAC-SHA256 validation)
40+
- OAuth token leakage or cross-tenant token exposure during authorization flows
41+
- Denial of service caused by malformed or specially crafted payloads processed by framework internals
42+
- Authentication or authorization bypass in any built-in adapter
43+
- Information disclosure through framework error responses or timing side channels
44+
- Bypass of the `ssl_check` endpoint protections
45+
46+
### Out of Scope
47+
48+
The following are NOT framework vulnerabilities:
49+
50+
- Vulnerabilities in the Python runtime, operating system, or hosting infrastructure
51+
- Security issues in developer application logic built on top of Bolt (e.g., SQL injection caused by passing unsanitized payload data to a database)
52+
- Vulnerabilities in third-party PyPI packages chosen and installed by the developer outside of Bolt's direct dependencies
53+
- Vulnerabilities in Slack's server-side platform infrastructure (report those directly under Slack's main HackerOne scope)
54+
- Attacks that require possession of a valid signing secret or bot token
55+
- Arbitrary attribute injection or unsafe deserialization caused by developer code handling untrusted input
56+
- Issues that only affect end-of-life versions with no reproduction on supported versions
57+
58+
## Disclosure Policy
59+
60+
This project follows coordinated disclosure:
61+
62+
- Allow a reasonable timeframe for the team to investigate, develop, and release a fix before any public disclosure.
63+
- Researchers who follow responsible disclosure practices are eligible for recognition and bounty consideration through the Slack HackerOne program.

.github/maintainers_guide.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,8 +71,8 @@ If you make changes to `slack_bolt/adapter/*`, please verify if it surely works
7171

7272
```sh
7373
# Install all optional dependencies
74-
$ pip install -r requirements/adapter.txt
75-
$ pip install -r requirements/adapter_testing.txt
74+
$ pip install -r requirements/adapter_dev.txt
75+
$ pip install -r requirements/test_adapter.txt
7676

7777
# Set required env variables
7878
$ export SLACK_SIGNING_SECRET=***

.github/workflows/ci-build.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -48,13 +48,13 @@ jobs:
4848
run: |
4949
pip install -U pip
5050
pip install -U .
51-
pip install -r requirements/tools.txt
51+
pip install -r requirements/dev_tools.txt
5252
- name: Type check synchronous modules
5353
run: mypy --config-file pyproject.toml --exclude "async_|/adapter/"
5454
- name: Install async and adapter dependencies
5555
run: |
56-
pip install -r requirements/async.txt
57-
pip install -r requirements/adapter.txt
56+
pip install -r requirements/async_dev.txt
57+
pip install -r requirements/adapter_dev.txt
5858
- name: Type check all modules
5959
run: mypy --config-file pyproject.toml
6060

@@ -88,15 +88,15 @@ jobs:
8888
run: |
8989
pip install -U pip
9090
pip install .
91-
pip install -r requirements/testing_without_asyncio.txt
91+
pip install -r requirements/test.txt
9292
- name: Run tests without aiohttp
9393
run: |
9494
pytest tests/slack_bolt/ --junitxml=reports/test_slack_bolt.xml
9595
pytest tests/scenario_tests/ --junitxml=reports/test_scenario.xml
9696
- name: Install adapter dependencies
9797
run: |
98-
pip install -r requirements/adapter.txt
99-
pip install -r requirements/adapter_testing.txt
98+
pip install -r requirements/adapter_dev.txt
99+
pip install -r requirements/test_adapter.txt
100100
- name: Run tests for HTTP Mode adapters
101101
run: |
102102
pytest tests/adapter_tests/ \
@@ -105,14 +105,14 @@ jobs:
105105
--junitxml=reports/test_adapter.xml
106106
- name: Install async dependencies
107107
run: |
108-
pip install -r requirements/async.txt
108+
pip install -r requirements/async_dev.txt
109109
- name: Run tests for Socket Mode adapters
110110
run: |
111111
# Requires async test dependencies
112112
pytest tests/adapter_tests/socket_mode/ --junitxml=reports/test_adapter_socket_mode.xml
113113
- name: Install all dependencies
114114
run: |
115-
pip install -r requirements/testing.txt
115+
pip install -r requirements/test_async.txt
116116
- name: Run tests for HTTP Mode adapters (ASGI)
117117
run: |
118118
# Requires async test dependencies
@@ -155,9 +155,9 @@ jobs:
155155
run: |
156156
pip install -U pip
157157
pip install .
158-
pip install -r requirements/adapter.txt
159-
pip install -r requirements/testing.txt
160-
pip install -r requirements/adapter_testing.txt
158+
pip install -r requirements/adapter_dev.txt
159+
pip install -r requirements/test_async.txt
160+
pip install -r requirements/test_adapter.txt
161161
- name: Run all tests for codecov
162162
run: |
163163
pytest --cov=./slack_bolt/ --cov-report=xml
@@ -179,7 +179,7 @@ jobs:
179179
if: ${{ !success() && github.ref == 'refs/heads/main' && github.event_name != 'workflow_dispatch' }}
180180
steps:
181181
- name: Send notifications of failing tests
182-
uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
182+
uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c # v3.0.3
183183
with:
184184
errors: true
185185
webhook: ${{ secrets.SLACK_REGRESSION_FAILURES_WEBHOOK_URL }}

.github/workflows/dependencies.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
steps:
1313
- name: Collect metadata
1414
id: metadata
15-
uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0
15+
uses: dependabot/fetch-metadata@25dd0e34f4fe68f24cc83900b1fe3fe149efef98 # v3.1.0
1616
with:
1717
github-token: "${{ secrets.GITHUB_TOKEN }}"
1818
- name: Approve

.github/workflows/pypi-release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
scripts/build_pypi_package.sh
3434
3535
- name: Persist dist folder
36-
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
36+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
3737
with:
3838
name: release-dist
3939
path: dist/
@@ -60,7 +60,7 @@ jobs:
6060
- name: Publish release distributions to test.pypi.org
6161
# Using OIDC for PyPI publishing (no API tokens needed)
6262
# See: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi
63-
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
63+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
6464
with:
6565
repository-url: https://test.pypi.org/legacy/
6666

@@ -84,4 +84,4 @@ jobs:
8484
- name: Publish release distributions to pypi.org
8585
# Using OIDC for PyPI publishing (no API tokens needed)
8686
# See: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-pypi
87-
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
87+
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0

AGENTS.md

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ Then wire it into `BoltContext` (`slack_bolt/context/context.py`) and `AsyncBolt
183183
1. Create `slack_bolt/adapter/<framework>/`
184184
2. Add `__init__.py` and `handler.py` (or `async_handler.py` for async frameworks)
185185
3. The handler converts the framework's request to `BoltRequest`, calls `app.dispatch()`, and converts `BoltResponse` back
186-
4. Add the framework to `requirements/adapter.txt` with version constraints
186+
4. Add the framework to `requirements/adapter_dev.txt` with version constraints
187187
5. Add adapter tests in `tests/adapter_tests/` (sync) or `tests/adapter_tests_async/` (async)
188188

189189
### Adding a Kwargs-Injectable Argument
@@ -205,12 +205,12 @@ The core package has a **single required runtime dependency**: `slack_sdk` (defi
205205

206206
**`requirements/` directory structure:**
207207

208-
- `async.txt` -- async runtime deps (`aiohttp`, `websockets`)
209-
- `adapter.txt` -- all framework adapter deps (Flask, Django, FastAPI, etc.)
210-
- `testing.txt` -- test runner deps (`pytest`, `pytest-asyncio`, includes `async.txt`)
211-
- `testing_without_asyncio.txt` -- test deps without async (`pytest`, `pytest-cov`)
212-
- `adapter_testing.txt` -- adapter-specific test deps (`moto`, `boddle`, `sanic-testing`)
213-
- `tools.txt` -- dev tools (`mypy`, `flake8`, `black`)
208+
- `async_dev.txt` -- async runtime deps (`aiohttp`, `websockets`)
209+
- `adapter_dev.txt` -- all framework adapter deps (Flask, Django, FastAPI, etc.)
210+
- `test_async.txt` -- test runner deps (`pytest`, `pytest-asyncio`, includes `async_dev.txt`)
211+
- `test.txt` -- test deps without async (`pytest`, `pytest-cov`)
212+
- `test_adapter.txt` -- adapter-specific test deps (`moto`, `boddle`, `sanic-testing`)
213+
- `dev_tools.txt` -- dev tools (`mypy`, `flake8`, `black`)
214214

215215
When adding a new dependency: add it to the appropriate `requirements/*.txt` file with version constraints, never to `pyproject.toml` `dependencies` (unless it's a core runtime dep, which is very rare).
216216

pyproject.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ dependencies = ["slack_sdk>=3.38.0,<4"]
2626

2727
[project.urls]
2828
Documentation = "https://docs.slack.dev/tools/bolt-python/"
29+
Source = "https://github.com/slackapi/bolt-python"
2930

3031
[tool.setuptools.packages.find]
3132
include = ["slack_bolt*"]
Lines changed: 16 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,33 @@
1-
# pip install -r requirements/adapter.txt
2-
# NOTE: any of async ones requires pip install -r requirements/async.txt too
1+
# pip install -r requirements/adapter_dev.txt
2+
# NOTE: any of async ones requires pip install -r requirements/async_dev.txt too
33
# used only under slack_bolt/adapter
44
boto3<=2
55
bottle>=0.12,<1
6-
chalice>=1.28,<2;
6+
chalice>=1.28,<1.31; python_version<"3.9"
7+
chalice>=1.32.0,<2; python_version>="3.9"
78
cheroot<12
89
CherryPy>=18,<19
9-
Django>=3,<6
10-
falcon>=2,<5; python_version<"3.11"
11-
falcon>=3.1.1,<5; python_version>="3.11"
10+
Django>=3.2,<4; python_version<"3.8"
11+
Django>=4.2.30,<6; python_version>="3.8"
12+
falcon>=2,<4; python_version<"3.9"
13+
falcon>=4.2.0,<5; python_version>="3.9"
1214
fastapi>=0.70.0,<1
1315
Flask>=1,<4
14-
Werkzeug>=2,<4
16+
Werkzeug>=2,<3; python_version<"3.9"
17+
Werkzeug>=3.1.8,<4; python_version>="3.9"
1518
pyramid>=1,<3
1619
setuptools<82 # Pinned: Pyramid depends on pkg_resources (deprecated in setuptools 67.5.0, removed in 82+). See: https://github.com/Pylons/pyramid/issues/3731
1720

1821
# Sanic and its dependencies
1922
# Note: Sanic imports tracerite with wild card versions
2023
tracerite<1.1.2; python_version<="3.8" # older versions of python are not compatible with tracerite>1.1.2
2124
sanic>=21,<24; python_version<="3.8"
22-
sanic>=21,<26; python_version>"3.8"
25+
sanic>=25.3.0,<26; python_version>"3.8"
2326

24-
starlette>=0.19.1,<1
25-
tornado>=6,<7
27+
starlette>=0.19.1,<0.45; python_version<"3.9"
28+
starlette>=0.49.3,<1; python_version>="3.9"
29+
tornado>=6.2,<7; python_version<"3.9"
30+
tornado>=6.5.6,<7; python_version>="3.9"
2631
uvicorn<1 # The oldest version can vary among Python runtime versions
27-
gunicorn>=20,<24
32+
gunicorn>=23.0.0,<24
2833
websocket_client>=1.2.3,<2 # Socket Mode 3rd party implementation

requirements/async.txt

Lines changed: 0 additions & 3 deletions
This file was deleted.

requirements/async_dev.txt

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# pip install -r requirements/async_dev.txt
2+
aiohttp>=3,<4
3+
websockets<16

0 commit comments

Comments
 (0)