symphony-bdk-python icon indicating copy to clipboard operation
symphony-bdk-python copied to clipboard
verified publisher icon finos

Update dependency aiohttp to v3.10.2 [SECURITY]

Open renovate[bot] opened this issue 1 year ago • 0 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp 3.9.3 -> 3.10.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-27306

Summary

A XSS vulnerability exists on index pages for static file handling.

Details

When using web.static(..., show_index=True), the resulting index pages do not escape file names.

If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.

Workaround

We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.

Other users can disable show_index if unable to upgrade.

Patch: https://github.com/aio-libs/aiohttp/pull/8319/files

CVE-2024-30251

Summary

An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.

Impact

An attacker can stop the application from serving requests after sending a single request.

For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in _read_chunk_from_length()):

diff --git a/aiohttp/multipart.py b/aiohttp/multipart.py
index 227be605c..71fc2654a 100644
--- a/aiohttp/multipart.py
+++ b/aiohttp/multipart.py
@​@​ -338,6 +338,8 @​@​ class BodyPartReader:
         assert self._length is not None, "Content-Length required for chunked read"
         chunk_size = min(size, self._length - self._read_bytes)
         chunk = await self._content.read(chunk_size)
+        if self._content.at_eof():
+            self._at_eof = True
         return chunk
 
     async def _read_chunk_from_stream(self, size: int) -> bytes:

This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in: https://github.com/aio-libs/aiohttp/commit/cebe526b9c34dc3a3da9140409db63014bc4cf19 https://github.com/aio-libs/aiohttp/commit/7eecdff163ccf029fbb1ddc9de4169d4aaeb6597 https://github.com/aio-libs/aiohttp/commit/f21c6f2ca512a026ce7f0f6c6311f62d6a638866

CVE-2024-42367

Summary

Static routes which contain files with compressed variants (.gz or .br extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.

Details

The server protects static routes from path traversal outside the root directory when follow_symlinks=False (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the FileResponse class, and symbolic links are then automatically followed when performing Path.stat() and Path.open() to send the file.

Impact

Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.

Patch: https://github.com/aio-libs/aiohttp/pull/8653/files

Release Notes

aio-libs/aiohttp (aiohttp)

v3.10.2

Compare Source

===================

Bug fixes

  • Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8565.

  • Fixed request body not being read when ignoring an Upgrade request -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8597.

  • Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8611.

  • Fixed connecting to npipe://, tcp://, and unix:// urls -- by :user:bdraco.

    Related issues and pull requests on GitHub: :issue:8632.

  • Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:bdraco.

    There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.

    Related issues and pull requests on GitHub: :issue:8641.

  • Fixed incorrectly following symlinks for compressed file variants -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8652.

Removals and backward incompatible breaking changes

  • Removed Request.wait_for_disconnection(), which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8636.

Contributor-facing changes

  • Fixed monkey patches for Path.stat() and Path.is_dir() for Python 3.13 compatibility -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8551.

Miscellaneous internal changes

  • Improved WebSocket performance when messages are sent or received frequently -- by :user:bdraco.

    The WebSocket heartbeat scheduling algorithm was improved to reduce the asyncio scheduling overhead by decreasing the number of asyncio.TimerHandle creations and cancellations.

    Related issues and pull requests on GitHub: :issue:8608.

  • Minor improvements to various type annotations -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8634.

v3.10.1

Compare Source

v3.10.0

Compare Source

v3.9.5

Compare Source

==================

Bug fixes

  • Fixed "Unclosed client session" when initialization of :py:class:~aiohttp.ClientSession fails -- by :user:NewGlad.

    Related issues and pull requests on GitHub: :issue:8253.

  • Fixed regression (from :pr:8280) with adding Content-Disposition to the form-data part after appending to writer -- by :user:Dreamsorcerer/:user:Olegt0rr.

    Related issues and pull requests on GitHub: :issue:8332.

  • Added default Content-Disposition in multipart/form-data responses to avoid broken form-data responses -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8335.

v3.9.4

Compare Source

==================

Bug fixes

  • The asynchronous internals now set the underlying causes when assigning exceptions to the future objects -- by :user:webknjaz.

    Related issues and pull requests on GitHub: :issue:8089.

  • Treated values of Accept-Encoding header as case-insensitive when checking for gzip files -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8104.

  • Improved the DNS resolution performance on cache hit -- by :user:bdraco.

    This is achieved by avoiding an :mod:asyncio task creation in this case.

    Related issues and pull requests on GitHub: :issue:8163.

  • Changed the type annotations to allow dict on :meth:aiohttp.MultipartWriter.append, :meth:aiohttp.MultipartWriter.append_json and :meth:aiohttp.MultipartWriter.append_form -- by :user:cakemanny

    Related issues and pull requests on GitHub: :issue:7741.

  • Ensure websocket transport is closed when client does not close it -- by :user:bdraco.

    The transport could remain open if the client did not close it. This change ensures the transport is closed when the client does not close it.

    Related issues and pull requests on GitHub: :issue:8200.

  • Leave websocket transport open if receive times out or is cancelled -- by :user:bdraco.

    This restores the behavior prior to the change in #​7978.

    Related issues and pull requests on GitHub: :issue:8251.

  • Fixed content not being read when an upgrade request was not supported with the pure Python implementation. -- by :user:bdraco.

    Related issues and pull requests on GitHub: :issue:8252.

  • Fixed a race condition with incoming connections during server shutdown -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8271.

  • Fixed multipart/form-data compliance with :rfc:7578 -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8280.

  • Fixed blocking I/O in the event loop while processing files in a POST request -- by :user:bdraco.

    Related issues and pull requests on GitHub: :issue:8283.

  • Escaped filenames in static view -- by :user:bdraco.

    Related issues and pull requests on GitHub: :issue:8317.

  • Fixed the pure python parser to mark a connection as closing when a response has no length -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8320.

Features

  • Upgraded llhttp to 9.2.1, and started rejecting obsolete line folding in Python parser to match -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8146, :issue:8292.

Deprecations (removal in next major release)

  • Deprecated content_transfer_encoding parameter in :py:meth:FormData.add_field() <aiohttp.FormData.add_field> -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8280.

Improved documentation

  • Added a note about canceling tasks to avoid delaying server shutdown -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8267.

Contributor-facing changes

  • The pull request template is now asking the contributors to answer a question about the long-term maintenance challenges they envision as a result of merging their patches -- by :user:webknjaz.

    Related issues and pull requests on GitHub: :issue:8099.

  • Updated CI and documentation to use NPM clean install and upgrade node to version 18 -- by :user:steverep.

    Related issues and pull requests on GitHub: :issue:8116.

  • A pytest fixture hello_txt was introduced to aid static file serving tests in :file:test_web_sendfile_functional.py. It dynamically provisions hello.txt file variants shared across the tests in the module.

    -- by :user:steverep

    Related issues and pull requests on GitHub: :issue:8136.

Packaging updates and notes for downstreams

  • Added an internal pytest marker for tests which should be skipped by packagers (use -m 'not internal' to disable them) -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub: :issue:8299.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Aug 08 '24 21:08 renovate[bot]