chore(deps): update dependency starlette to v0.36.2 [security] #162
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.22.0
->^0.36.0
==0.25.0
->==0.36.2
GitHub Vulnerability Alerts
GHSA-74m5-2c7w-9w3x
Impact
The
MultipartParser
using the packagepython-multipart
accepts an unlimited number of multipart parts (form fields or files).Processing too many parts results in high CPU usage and high memory usage, eventually leading to an OOM process kill.
This can be triggered by sending too many small form fields with no content, or too many empty files.
For this to take effect application code has to:
python-multipart
installed andrequest.form()
UploadFile
parameters, which in turn callsrequest.form()
.Patches
The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000).
Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0).
If application code needs to customize the new max field and file number, there are new
request.form()
parameters (with the default values):max_files=1000
max_fields=1000
Workarounds
Applications that don't install
python-multipart
or that don't use form fields are safe.In older versions, it's also possible to instead of calling
request.form()
callrequest.stream()
and parse the form data in internal code.In most cases, the best solution is to upgrade the Starlette version.
References
This was reported in private by @das7pad via internal email. He also coordinated the fix across multiple frameworks and parsers.
The details about how
multipart/form-data
is structured and parsed are in the RFC 7578.CVE-2023-30798
There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.
CVE-2023-29159
Summary
When using
StaticFiles
, if there's a file or directory that starts with the same name as theStaticFiles
directory, that file or directory is also exposed viaStaticFiles
which is a path traversal vulnerability.Details
The root cause of this issue is the usage of
os.path.commonprefix()
:https://github.com/encode/starlette/blob/4bab981d9e870f6cee1bd4cd59b87ddaf355b2dc/starlette/staticfiles.py#L172-L174
As stated in the Python documentation (https://docs.python.org/3/library/os.path.html#os.path.commonprefix) this function returns the longest prefix common to paths.
When passing a path like
/static/../static1.txt
,os.path.commonprefix([full_path, directory])
returns./static
which is the common part of./static1.txt
and./static
, It refers to/static/../static1.txt
because it is considered in the staticfiles directory. As a result, it becomes possible to view files that should not be open to the public.The solution is to use
os.path.commonpath
as the Python documentation explains thatos.path.commonprefix
works a character at a time, it does not treat the arguments as paths.PoC
In order to reproduce the issue, you need to create the following structure:
And run the
Starlette
app with:And running the commands:
The
static1.txt
and the directorystatic_disallow
are exposed.Impact
Confidentiality is breached: An attacker may obtain files that should not be open to the public.
Credits
Security researcher Masashi Yamane of LAC Co., Ltd reported this vulnerability to JPCERT/CC Vulnerability Coordination Group and they contacted us to coordinate a patch for the security issue.
CVE-2024-24762
Summary
When using form data,
python-multipart
uses a Regular Expression to parse the HTTPContent-Type
header, including options.An attacker could send a custom-made
Content-Type
option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
This only applies when the app uses form data, parsed with
python-multipart
.Details
A regular HTTP
Content-Type
header could look like:python-multipart
parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74A custom option could be made and sent to the server to break it with:
PoC
Create a simple WSGI application, that just parses the
Content-Type
, and run it withpython main.py
:Then send the attacking request with:
$ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'
Impact
It's a ReDoS, (Regular expression Denial of Service), it only applies to those reading form data. This way it also affects other libraries using Starlette, like FastAPI.
Original Report
This was originally reported to FastAPI as an email to [email protected], sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r
Original report to FastAPI
Hey Tiangolo!
My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).
Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code:
I'm running the above with uvicorn with the following command:
uvicorn server:app
Then run the following cUrl command:
You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%
You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server.
If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data.
Cheers
Impact
An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.
Occurrences
params.py L586
Release Notes
encode/starlette (starlette)
v0.36.2
: Version 0.36.2Compare Source
Fixed
python-multipart
to0.0.7
13e5c26.Content-Type
#2443.Full Changelog: encode/starlette@0.36.1...0.36.2
v0.36.1
: Version 0.36.1Compare Source
Fixed
Full Changelog: encode/starlette@0.36.0...0.36.1
v0.36.0
: Version 0.36.0Compare Source
Added
pathsend
extension #2435.WebSocketTestSession
on close #2427.WebSocketDisconnect
whenWebSocket.send()
exceptsIOError
#2425.FileNotFoundError
when theenv_file
parameter onConfig
is not valid #2422.Full Changelog: encode/starlette@0.35.1...0.36.0
v0.35.1
: Version 0.35.1Compare Source
Fixed
FileResponse
inside ofStaticFiles
#2406.typing-extensions
optional again #2409.Full Changelog: encode/starlette@0.35.0...0.35.1
v0.35.0
: Version 0.35.0Compare Source
Added
*args
toMiddleware
and improve its type hints #2381.Fixed
Iterable
insteadIterator
oniterate_in_threadpool
#2362.Changes
root_path
to keep compatibility with mounted ASGI applications and WSGI #2400.scope["client"]
toNone
onTestClient
#2377.Full Changelog: encode/starlette@0.34.0...0.35.0
v0.34.0
: Version 0.34.0Compare Source
Added
ParamSpec
forrun_in_threadpool
#2375.UploadFile.__repr__
#2360.Fixed
TestClient
#2376.StaticFiles
#2334.Deprecated
FileResponse(method=...)
parameter #2366.Full Changelog: encode/starlette@0.33.0...0.34.0
v0.33.0
: Version 0.33.0Compare Source
Added
middleware
perRoute
/WebSocketRoute
#2349.middleware
perRouter
#2351.Fixed
"path"
and"root_path"
scope keys #2352.ensure_ascii=False
onjson.dumps()
forWebSocket.send_json()
#2341.v0.32.0
: Version 0.32.0Compare Source
Added
reason
onWebSocketDisconnect
#2309.domain
parameter toSessionMiddleware
#2280.Changed
HTMLResponse
instead ofResponse
on_TemplateResponse
#2274.Response.render
type annotation to its pre-0.31.0 state #2264.Full Changelog: encode/starlette@0.31.1...0.32.0
v0.31.1
: Version 0.31.1Compare Source
Fixed
exceptiongroup
isn't available #2231.url_for
global for custom Jinja environments #2230.Full Changelog: encode/starlette@0.31.0...0.31.1
v0.31.0
: Version 0.31.0Compare Source
Added
Fixed
TestClient
#2219.Full Changelog: encode/starlette@0.30.0...0.31.0
v0.30.0
: Version 0.30.0Compare Source
Removed
v0.29.0
: Version 0.29.0Compare Source
Added
follow_redirects
parameter toTestClient
#2207.__str__
toHTTPException
andWebSocketException
#2181.lifespan
together withon_startup
/on_shutdown
#2193.Host
to generate the OpenAPI schema #2183.request
argument toTemplateResponse
#2191.Fixed
body_stream
in casemore_body=False
onBaseHTTPMiddleware
#2194.Full Changelog: encode/starlette@0.28.0...0.29.0
v0.28.0
: Version 0.28.0Compare Source
Changed
Request
's body buffer for call_next inBaseHTTPMiddleware
#1692.Route
#2026.Added
env
parameter toJinja2Templates
, and deprecate**env_options
#2159.httpx
is not installed #2177.Fixed
templates url_for()
#2127.Full Changelog: encode/starlette@0.27.0...0.28.0
v0.27.0
: Version 0.27.0Compare Source
This release fixes a path traversal vulnerability in
StaticFiles
. You can view the full security advisory:GHSA-v5gw-mw7f-84px
Added
send_json
https://github.com/encode/starlette/pull/2128Fixed
commonprefix
bycommonpath
onStaticFiles
1797de4.Full Changelog: encode/starlette@0.26.1...0.27.0
v0.26.1
: Version 0.26.1Compare Source
Fixed
v0.26.0
: Version 0.26.0Compare Source
Added
Changed
url_for
signature to return aURL
instance #1385.Fixed
url_for()
andurl_path_for()
#2050.Deprecated
on_startup
andon_shutdown
events #2070.Full Changelog: encode/starlette@0.25.0...0.26.0
v0.25.0
: Version 0.25.0Compare Source
Fixed
multipart/form-data
on theMultipartParser
8c74c2c and #2036.v0.24.0
: Version 0.24.0Compare Source
Added
StaticFiles
to follow symlinks #1683.Request.form()
as a context manager #1903.size
attribute toUploadFile
#1405.env_prefix
argument toConfig
#1990.str
anddatetime
onexpires
parameter on theResponse.set_cookie
method #1908.Changed
file
argument required onUploadFile
#1413.Fixed
URL.replace
#1965.v0.23.1
: Version 0.23.1Compare Source
Fixed
body_stream
if body is empty on theBaseHTTPMiddleware
#1940.v0.23.0
: Version 0.23.0Compare Source
Added
headers
parameter to theTestClient
#1966.Deprecated
Starlette
andRouter
decorators #1897.Fixed
FloatConvertor
regex #1973.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.