Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency aiohttp to v3.9.2 [security] - autoclosed #25

Merged
merged 1 commit into from
Feb 4, 2024
Merged

chore(deps): update dependency aiohttp to v3.9.2 [security] - autoclosed #25

merged 1 commit into from
Feb 4, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 28, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aiohttp ==3.8.6 -> ==3.9.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49082

Summary

Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.

Details

The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.

Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.

PoC

A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b

Impact

If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).

Workaround

If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).

Patch: https://github.com/aio-libs/aiohttp/pull/7806/files

CVE-2023-49081

Summary

Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.

Details

The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the version parameter.
Furthermore, the vulnerability only occurs when the Connection header is passed to the headers parameter.

At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.

PoC

The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e

Impact

CRLF injection leading to Request Smuggling.

Workaround

If these specific conditions are met and you are unable to upgrade, then validate the user input to the version parameter to ensure it is a str.

Patch: https://github.com/aio-libs/aiohttp/pull/7835/files

CVE-2024-23829

Summary

Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.

Details

These problems are rooted in pattern matching protocol elements, previously improved by PR #​3235 and GHSA-gfw2-4jvh-wgfg:

  1. The expression HTTP/(\d).(\d) lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result: HTTP/(\d)\.(\d)).

  2. The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.

  3. Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110 token.

PoC

GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked

Impact

Primarily concerns running an aiohttp server without llhttp:

  1. behind a proxy: Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling.
  2. directly accessible or exposed behind proxies relaying malformed input: the unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities.

Patch: https://github.com/aio-libs/aiohttp/pull/8074/files

CVE-2024-23334

Summary

Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.

Details

When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:

app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])

Impact

This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with follow_symlinks set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of the follow_symlinks parameter.

Workaround

Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.

If using follow_symlinks=True outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.

Patch: https://github.com/aio-libs/aiohttp/pull/8079/files

Release Notes

aio-libs/aiohttp (aiohttp)

v3.9.2: 3.9.2

Compare Source

Bug fixes

  • Fixed server-side websocket connection leak.

    Related issues and pull requests on GitHub:
    #​7978.

  • Fixed web.FileResponse doing blocking I/O in the event loop.

    Related issues and pull requests on GitHub:
    #​8012.

  • Fixed double compress when compression enabled and compressed file exists in server file responses.

    Related issues and pull requests on GitHub:
    #​8014.

  • Added runtime type check for ClientSession timeout parameter.

    Related issues and pull requests on GitHub:
    #​8021.

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
    Invalid header field names containing question mark or slash are now rejected.
    Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub:
    #​8074.

  • Improved validation of paths for static resources requests to the server -- by :user:bdraco.

    Related issues and pull requests on GitHub:
    #​8079.

Features

  • Added support for passing :py:data:True to ssl parameter in ClientSession while
    deprecating :py:data:None -- by :user:xiangyan99.

    Related issues and pull requests on GitHub:
    #​7698.

Breaking changes

  • Fixed an unhandled exception in the Python HTTP parser on header lines starting with a colon -- by :user:pajod.

    Invalid request lines with anything but a dot between the HTTP major and minor version are now rejected.
    Invalid header field names containing question mark or slash are now rejected.
    Such requests are incompatible with :rfc:9110#section-5.6.2 and are not known to be of any legitimate use.

    Related issues and pull requests on GitHub:
    #​8074.

Improved documentation

  • Fixed examples of fallback_charset_resolver function in the :doc:client_advanced document. -- by :user:henry0312.

    Related issues and pull requests on GitHub:
    #​7995.

  • The Sphinx setup was updated to avoid showing the empty
    changelog draft section in the tagged release documentation
    builds on Read The Docs -- by :user:webknjaz.

    Related issues and pull requests on GitHub:
    #​8067.

Packaging updates and notes for downstreams

  • The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:webknjaz.

    The new category tags are:

    * ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``

    Related issues and pull requests on GitHub:
    #​8066.

Contributor-facing changes

  • Updated :ref:contributing/Tests coverage <aiohttp-contributing> section to show how we use codecov -- by :user:Dreamsorcerer.

    Related issues and pull requests on GitHub:
    #​7916.

  • The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:webknjaz.

    The new category tags are:

    * ``bugfix``

* ``feature``

* ``deprecation``

* ``breaking`` (previously, ``removal``)

* ``doc``

* ``packaging``

* ``contrib``

* ``misc``

    Related issues and pull requests on GitHub:
    #​8066.

Miscellaneous internal changes

  • Replaced all tmpdir fixtures with tmp_path in test suite.

    Related issues and pull requests on GitHub:
    #​3551.

v3.9.1

Compare Source

==================

Bugfixes

  • Fixed importing aiohttp under PyPy on Windows.

    #&#8203;7848 <https://github.com/aio-libs/aiohttp/issues/7848>_

  • Fixed async concurrency safety in websocket compressor.

    #&#8203;7865 <https://github.com/aio-libs/aiohttp/issues/7865>_

  • Fixed ClientResponse.close() releasing the connection instead of closing.

    #&#8203;7869 <https://github.com/aio-libs/aiohttp/issues/7869>_

  • Fixed a regression where connection may get closed during upgrade. -- by :user:Dreamsorcerer

    #&#8203;7879 <https://github.com/aio-libs/aiohttp/issues/7879>_

  • Fixed messages being reported as upgraded without an Upgrade header in Python parser. -- by :user:Dreamsorcerer

    #&#8203;7895 <https://github.com/aio-libs/aiohttp/issues/7895>_

v3.9.0

Compare Source

==================

Features

  • Introduced AppKey for static typing support of Application storage.
    See https://docs.aiohttp.org/en/stable/web_advanced.html#application-s-config

    #&#8203;5864 <https://github.com/aio-libs/aiohttp/issues/5864>_

  • Added a graceful shutdown period which allows pending tasks to complete before the application's cleanup is called.
    The period can be adjusted with the shutdown_timeout parameter. -- by :user:Dreamsorcerer.
    See https://docs.aiohttp.org/en/latest/web_advanced.html#graceful-shutdown

    #&#8203;7188 <https://github.com/aio-libs/aiohttp/issues/7188>_

  • Added handler_cancellation <https://docs.aiohttp.org/en/stable/web_advanced.html#web-handler-cancellation>_ parameter to cancel web handler on client disconnection. -- by :user:mosquito
    This (optionally) reintroduces a feature removed in a previous release.
    Recommended for those looking for an extra level of protection against denial-of-service attacks.

    #&#8203;7056 <https://github.com/aio-libs/aiohttp/issues/7056>_

  • Added support for setting response header parameters max_line_size and max_field_size.

    #&#8203;2304 <https://github.com/aio-libs/aiohttp/issues/2304>_

  • Added auto_decompress parameter to ClientSession.request to override ClientSession._auto_decompress. -- by :user:Daste745

    #&#8203;3751 <https://github.com/aio-libs/aiohttp/issues/3751>_

  • Changed raise_for_status to allow a coroutine.

    #&#8203;3892 <https://github.com/aio-libs/aiohttp/issues/3892>_

  • Added client brotli compression support (optional with runtime check).

    #&#8203;5219 <https://github.com/aio-libs/aiohttp/issues/5219>_

  • Added client_max_size to BaseRequest.clone() to allow overriding the request body size. -- :user:anesabml.

    #&#8203;5704 <https://github.com/aio-libs/aiohttp/issues/5704>_

  • Added a middleware type alias aiohttp.typedefs.Middleware.

    #&#8203;5898 <https://github.com/aio-libs/aiohttp/issues/5898>_

  • Exported HTTPMove which can be used to catch any redirection request
    that has a location -- :user:dreamsorcerer.

    #&#8203;6594 <https://github.com/aio-libs/aiohttp/issues/6594>_

  • Changed the path parameter in web.run_app() to accept a pathlib.Path object.

    #&#8203;6839 <https://github.com/aio-libs/aiohttp/issues/6839>_

  • Performance: Skipped filtering CookieJar when the jar is empty or all cookies have expired.

    #&#8203;7819 <https://github.com/aio-libs/aiohttp/issues/7819>_

  • Performance: Only check origin if insecure scheme and there are origins to treat as secure, in CookieJar.filter_cookies().

    #&#8203;7821 <https://github.com/aio-libs/aiohttp/issues/7821>_

  • Performance: Used timestamp instead of datetime to achieve faster cookie expiration in CookieJar.

    #&#8203;7824 <https://github.com/aio-libs/aiohttp/issues/7824>_

  • Added support for passing a custom server name parameter to HTTPS connection.

    #&#8203;7114 <https://github.com/aio-libs/aiohttp/issues/7114>_

  • Added support for using Basic Auth credentials from :file:.netrc file when making HTTP requests with the
    :py:class:~aiohttp.ClientSession trust_env argument is set to True. -- by :user:yuvipanda.

    #&#8203;7131 <https://github.com/aio-libs/aiohttp/issues/7131>_

  • Turned access log into no-op when the logger is disabled.

    #&#8203;7240 <https://github.com/aio-libs/aiohttp/issues/7240>_

  • Added typing information to RawResponseMessage. -- by :user:Gobot1234

    #&#8203;7365 <https://github.com/aio-libs/aiohttp/issues/7365>_

  • Removed async-timeout for Python 3.11+ (replaced with asyncio.timeout() on newer releases).

    #&#8203;7502 <https://github.com/aio-libs/aiohttp/issues/7502>_

  • Added support for brotlicffi as an alternative to brotli (fixing Brotli support on PyPy).

    #&#8203;7611 <https://github.com/aio-libs/aiohttp/issues/7611>_

  • Added WebSocketResponse.get_extra_info() to access a protocol transport's extra info.

    #&#8203;7078 <https://github.com/aio-libs/aiohttp/issues/7078>_

  • Allow link argument to be set to None/empty in HTTP 451 exception.

    #&#8203;7689 <https://github.com/aio-libs/aiohttp/issues/7689>_

Bugfixes

  • Implemented stripping the trailing dots from fully-qualified domain names in Host headers and TLS context when acting as an HTTP client.
    This allows the client to connect to URLs with FQDN host name like https://example.com./.
    -- by :user:martin-sucha.

    #&#8203;3636 <https://github.com/aio-libs/aiohttp/issues/3636>_

  • Fixed client timeout not working when incoming data is always available without waiting. -- by :user:Dreamsorcerer.

    #&#8203;5854 <https://github.com/aio-libs/aiohttp/issues/5854>_

  • Fixed readuntil to work with a delimiter of more than one character.

    #&#8203;6701 <https://github.com/aio-libs/aiohttp/issues/6701>_

  • Added __repr__ to EmptyStreamReader to avoid AttributeError.

    #&#8203;6916 <https://github.com/aio-libs/aiohttp/issues/6916>_

  • Fixed bug when using TCPConnector with ttl_dns_cache=0.

    #&#8203;7014 <https://github.com/aio-libs/aiohttp/issues/7014>_

  • Fixed response returned from expect handler being thrown away. -- by :user:Dreamsorcerer

    #&#8203;7025 <https://github.com/aio-libs/aiohttp/issues/7025>_

  • Avoided raising UnicodeDecodeError in multipart and in HTTP headers parsing.

    #&#8203;7044 <https://github.com/aio-libs/aiohttp/issues/7044>_

  • Changed sock_read timeout to start after writing has finished, avoiding read timeouts caused by an unfinished write. -- by :user:dtrifiro

    #&#8203;7149 <https://github.com/aio-libs/aiohttp/issues/7149>_

  • Fixed missing query in tracing method URLs when using yarl 1.9+.

    #&#8203;7259 <https://github.com/aio-libs/aiohttp/issues/7259>_

  • Changed max 32-bit timestamp to an aware datetime object, for consistency with the non-32-bit one, and to avoid a DeprecationWarning on Python 3.12.

    #&#8203;7302 <https://github.com/aio-libs/aiohttp/issues/7302>_

  • Fixed EmptyStreamReader.iter_chunks() never ending. -- by :user:mind1m

    #&#8203;7616 <https://github.com/aio-libs/aiohttp/issues/7616>_

  • Fixed a rare RuntimeError: await wasn't used with future exception. -- by :user:stalkerg

    #&#8203;7785 <https://github.com/aio-libs/aiohttp/issues/7785>_

  • Fixed issue with insufficient HTTP method and version validation.

    #&#8203;7700 <https://github.com/aio-libs/aiohttp/issues/7700>_

  • Added check to validate that absolute URIs have schemes.

    #&#8203;7712 <https://github.com/aio-libs/aiohttp/issues/7712>_

  • Fixed unhandled exception when Python HTTP parser encounters unpaired Unicode surrogates.

    #&#8203;7715 <https://github.com/aio-libs/aiohttp/issues/7715>_

  • Updated parser to disallow invalid characters in header field names and stop accepting LF as a request line separator.

    #&#8203;7719 <https://github.com/aio-libs/aiohttp/issues/7719>_

  • Fixed Python HTTP parser not treating 204/304/1xx as an empty body.

    #&#8203;7755 <https://github.com/aio-libs/aiohttp/issues/7755>_

  • Ensure empty body response for 1xx/204/304 per RFC 9112 sec 6.3.

    #&#8203;7756 <https://github.com/aio-libs/aiohttp/issues/7756>_

  • Fixed an issue when a client request is closed before completing a chunked payload. -- by :user:Dreamsorcerer

    #&#8203;7764 <https://github.com/aio-libs/aiohttp/issues/7764>_

  • Edge Case Handling for ResponseParser for missing reason value.

    #&#8203;7776 <https://github.com/aio-libs/aiohttp/issues/7776>_

  • Fixed ClientWebSocketResponse.close_code being erroneously set to None when there are concurrent async tasks receiving data and closing the connection.

    #&#8203;7306 <https://github.com/aio-libs/aiohttp/issues/7306>_

  • Added HTTP method validation.

    #&#8203;6533 <https://github.com/aio-libs/aiohttp/issues/6533>_

  • Fixed arbitrary sequence types being allowed to inject values via version parameter. -- by :user:Dreamsorcerer

    #&#8203;7835 <https://github.com/aio-libs/aiohttp/issues/7835>_

  • Performance: Fixed increase in latency with small messages from websocket compression changes.

    #&#8203;7797 <https://github.com/aio-libs/aiohttp/issues/7797>_

Improved Documentation

  • Fixed the ClientResponse.release's type in the doc. Changed from comethod to method.

    #&#8203;5836 <https://github.com/aio-libs/aiohttp/issues/5836>_

  • Added information on behavior of base_url parameter in ClientSession.

    #&#8203;6647 <https://github.com/aio-libs/aiohttp/issues/6647>_

  • Fixed ClientResponseError docs.

    #&#8203;6700 <https://github.com/aio-libs/aiohttp/issues/6700>_

  • Updated Redis code examples to follow the latest API.

    #&#8203;6907 <https://github.com/aio-libs/aiohttp/issues/6907>_

  • Added a note about possibly needing to update headers when using on_response_prepare. -- by :user:Dreamsorcerer

    #&#8203;7283 <https://github.com/aio-libs/aiohttp/issues/7283>_

  • Completed trust_env parameter description to honor wss_proxy, ws_proxy or no_proxy env.

    #&#8203;7325 <https://github.com/aio-libs/aiohttp/issues/7325>_

  • Expanded SSL documentation with more examples (e.g. how to use certifi). -- by :user:Dreamsorcerer

    #&#8203;7334 <https://github.com/aio-libs/aiohttp/issues/7334>_

  • Fix, update, and improve client exceptions documentation.

    #&#8203;7733 <https://github.com/aio-libs/aiohttp/issues/7733>_

Deprecations and Removals

  • Added shutdown_timeout parameter to BaseRunner, while
    deprecating shutdown_timeout parameter from BaseSite. -- by :user:Dreamsorcerer

    #&#8203;7718 <https://github.com/aio-libs/aiohttp/issues/7718>_

  • Dropped Python 3.6 support.

    #&#8203;6378 <https://github.com/aio-libs/aiohttp/issues/6378>_

  • Dropped Python 3.7 support. -- by :user:Dreamsorcerer

    #&#8203;7336 <https://github.com/aio-libs/aiohttp/issues/7336>_

  • Removed support for abandoned tokio event loop. -- by :user:Dreamsorcerer

    #&#8203;7281 <https://github.com/aio-libs/aiohttp/issues/7281>_

Misc

  • Made print argument in run_app() optional.

    #&#8203;3690 <https://github.com/aio-libs/aiohttp/issues/3690>_

  • Improved performance of ceil_timeout in some cases.

    #&#8203;6316 <https://github.com/aio-libs/aiohttp/issues/6316>_

  • Changed importing Gunicorn to happen on-demand, decreasing import time by ~53%. -- :user:Dreamsorcerer

    #&#8203;6591 <https://github.com/aio-libs/aiohttp/issues/6591>_

  • Improved import time by replacing http.server with http.HTTPStatus.

    #&#8203;6903 <https://github.com/aio-libs/aiohttp/issues/6903>_

  • Fixed annotation of ssl parameter to disallow True. -- by :user:Dreamsorcerer.

    #&#8203;7335 <https://github.com/aio-libs/aiohttp/issues/7335>_

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/pypi-aiohttp-vulnerability branch from 24bd6ab to 44741bb Compare January 30, 2024 00:01
@renovate renovate bot changed the title chore(deps): update dependency aiohttp to v3.9.0 [security] chore(deps): update dependency aiohttp to v3.9.2 [security] Jan 30, 2024
@Moraxyc Moraxyc merged commit 5a31b93 into main Feb 4, 2024
@renovate renovate bot changed the title chore(deps): update dependency aiohttp to v3.9.2 [security] chore(deps): update dependency aiohttp to v3.9.2 [security] - autoclosed Feb 4, 2024
@renovate renovate bot deleted the renovate/pypi-aiohttp-vulnerability branch February 4, 2024 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Moraxyc