Skip to content

Commit

Permalink
Update dependency aiohttp to v3.9.2 [SECURITY] (#349)
Browse files Browse the repository at this point in the history
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aiohttp](https://togithub.com/aio-libs/aiohttp) | `==3.9.1` ->
`==3.9.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/aiohttp/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/aiohttp/3.9.1/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.9.1/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-23829](https://togithub.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2)

### Summary
Security-sensitive parts of the *Python HTTP parser* retained minor
differences in allowable character sets, that must trigger error
handling to robustly match frame boundaries of proxies in order to
protect against injection of additional requests. Additionally,
validation could trigger exceptions that were not handled consistently
with processing of other malformed input.

### Details
These problems are rooted in pattern matching protocol elements,
previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

1. The expression `HTTP/(\d).(\d)` lacked another backslash to clarify
that the separator should be a literal dot, not just *any* Unicode code
point (result: `HTTP/(\d)\.(\d)`).

2. The HTTP version was permitting Unicode digits, where only ASCII
digits are standards-compliant.

3. Distinct regular expressions for validating HTTP Method and Header
field names were used - though both should (at least) apply the common
restrictions of rfc9110 `token`.

### PoC
`GET / HTTP/1ö1`
`GET / HTTP/1.𝟙`
`GET/: HTTP/1.1`
`Content-Encoding?: chunked`

### Impact
Primarily concerns running an aiohttp server without llhttp:
1. **behind a proxy**: Being more lenient than internet standards
require could, depending on deployment environment, assist in request
smuggling.
2. **directly accessible** or exposed behind proxies relaying malformed
input: the unhandled exception could cause excessive resource
consumption on the application server and/or its logging facilities.

-----

Patch:
[https://github.com/aio-libs/aiohttp/pull/8074](https://togithub.com/aio-libs/aiohttp/pull/8074)/files

####
[CVE-2024-23334](https://togithub.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)

### Summary
Improperly configuring static resource resolution in aiohttp when used
as a web server can result in the unauthorized reading of arbitrary
files on the system.

### Details
When using aiohttp as a web server and configuring static routes, it is
necessary to specify the root path for static files. Additionally, the
option 'follow_symlinks' can be used to determine whether to follow
symbolic links outside the static root directory. When 'follow_symlinks'
is set to True, there is no validation to check if a given file path is
within the root directory.This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to arbitrary files on
the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:
```
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])
```

### Impact
This is a directory traversal vulnerability with CWE ID 22. When using
aiohttp as a web server and enabling static resource resolution with
`follow_symlinks` set to True, it can lead to this vulnerability. This
vulnerability has been present since the introduction of the
`follow_symlinks` parameter.

### Workaround
Even if upgrading to a patched version of aiohttp, we recommend
following these steps regardless.

If using `follow_symlinks=True` outside of a restricted local
development environment, disable the option immediately. This option is
NOT needed to follow symlinks which point to a location _within_ the
static root directory, it is _only_ intended to allow a symlink to break
out of the static directory. Even with this CVE fixed, there is still a
substantial risk of misconfiguration when using this option on a server
that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy
server (such as nginx) to handle static resources and _not_ to use these
static resources in aiohttp for production environments. Doing so also
protects against this vulnerability, and is why we expect the number of
affected users to be very low.

-----

Patch:
[https://github.com/aio-libs/aiohttp/pull/8079](https://togithub.com/aio-libs/aiohttp/pull/8079)/files

---

### Release Notes

<details>
<summary>aio-libs/aiohttp (aiohttp)</summary>

###
[`v3.9.2`](https://togithub.com/aio-libs/aiohttp/releases/tag/v3.9.2):
3.9.2

[Compare
Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.1...v3.9.2)

## Bug fixes

-   Fixed server-side websocket connection leak.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7978](https://togithub.com/aio-libs/aiohttp/issues/7978).

-   Fixed `web.FileResponse` doing blocking I/O in the event loop.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8012](https://togithub.com/aio-libs/aiohttp/issues/8012).

- Fixed double compress when compression enabled and compressed file
exists in server file responses.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8014](https://togithub.com/aio-libs/aiohttp/issues/8014).

-   Added runtime type check for `ClientSession` `timeout` parameter.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8021](https://togithub.com/aio-libs/aiohttp/issues/8021).

- Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon -- by :user:`pajod`.

Invalid request lines with anything but a dot between the HTTP major and
minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are
not known to be of any legitimate use.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8074](https://togithub.com/aio-libs/aiohttp/issues/8074).

- Improved validation of paths for static resources requests to the
server -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8079](https://togithub.com/aio-libs/aiohttp/issues/8079).

## Features

- Added support for passing :py:data:`True` to `ssl` parameter in
`ClientSession` while
    deprecating :py:data:`None` -- by :user:`xiangyan99`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7698](https://togithub.com/aio-libs/aiohttp/issues/7698).

## Breaking changes

- Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon -- by :user:`pajod`.

Invalid request lines with anything but a dot between the HTTP major and
minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are
not known to be of any legitimate use.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8074](https://togithub.com/aio-libs/aiohttp/issues/8074).

## Improved documentation

- Fixed examples of `fallback_charset_resolver` function in the
:doc:`client_advanced` document. -- by :user:`henry0312`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7995](https://togithub.com/aio-libs/aiohttp/issues/7995).

-   The Sphinx setup was updated to avoid showing the empty
    changelog draft section in the tagged release documentation
    builds on Read The Docs -- by :user:`webknjaz`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8067](https://togithub.com/aio-libs/aiohttp/issues/8067).

## Packaging updates and notes for downstreams

-   The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:`webknjaz`.

    The new category tags are:

        * ``bugfix``

        * ``feature``

        * ``deprecation``

        * ``breaking`` (previously, ``removal``)

        * ``doc``

        * ``packaging``

        * ``contrib``

        * ``misc``

    *Related issues and pull requests on GitHub:*
    [#&#8203;8066](https://togithub.com/aio-libs/aiohttp/issues/8066).

## Contributor-facing changes

- Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
section to show how we use `codecov` -- by :user:`Dreamsorcerer`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7916](https://togithub.com/aio-libs/aiohttp/issues/7916).

-   The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:`webknjaz`.

    The new category tags are:

        * ``bugfix``

        * ``feature``

        * ``deprecation``

        * ``breaking`` (previously, ``removal``)

        * ``doc``

        * ``packaging``

        * ``contrib``

        * ``misc``

    *Related issues and pull requests on GitHub:*
    [#&#8203;8066](https://togithub.com/aio-libs/aiohttp/issues/8066).

## Miscellaneous internal changes

-   Replaced all `tmpdir` fixtures with `tmp_path` in test suite.

    *Related issues and pull requests on GitHub:*
    [#&#8203;3551](https://togithub.com/aio-libs/aiohttp/issues/3551).

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Feb 1, 2024
1 parent 2799549 commit bbc390c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion requirements_dev.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-e .
aiohttp==3.9.1
aiohttp==3.9.2
aiohttp_retry==2.8.3
freezegun==1.4.0
mitmproxy==10.2.2
Expand Down

0 comments on commit bbc390c

Please sign in to comment.