Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate static paths #8079

Merged
merged 15 commits into from
Jan 28, 2024
Merged

Validate static paths #8079

merged 15 commits into from
Jan 28, 2024

Conversation

Dreamsorcerer
Copy link
Member

No description provided.

@psf-chronographer psf-chronographer bot added the bot:chronographer:provided There is a change note present in this PR label Jan 28, 2024
@Dreamsorcerer Dreamsorcerer added backport-3.9 backport-3.10 Trigger automatic backporting to the 3.10 release branch by Patchback robot labels Jan 28, 2024
docs/web_advanced.rst Outdated Show resolved Hide resolved
Copy link

codecov bot commented Jan 28, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6529c77) 97.46% compared to head (64208f7) 97.41%.
Report is 26 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #8079      +/-   ##
==========================================
- Coverage   97.46%   97.41%   -0.05%     
==========================================
  Files         107      107              
  Lines       32526    32732     +206     
  Branches     3791     3823      +32     
==========================================
+ Hits        31700    31885     +185     
- Misses        624      640      +16     
- Partials      202      207       +5     
Flag Coverage Δ
CI-GHA 97.32% <100.00%> (-0.05%) ⬇️
OS-Linux 96.99% <100.00%> (-0.06%) ⬇️
OS-Windows 95.50% <100.00%> (-0.04%) ⬇️
OS-macOS 96.81% <100.00%> (+0.13%) ⬆️
Py-3.10.11 95.43% <100.00%> (-0.04%) ⬇️
Py-3.10.13 96.81% <100.00%> (-0.06%) ⬇️
Py-3.11.7 96.46% <100.00%> (-0.11%) ⬇️
Py-3.12.1 96.62% <100.00%> (-0.03%) ⬇️
Py-3.8.10 95.40% <100.00%> (-0.04%) ⬇️
Py-3.8.18 96.74% <100.00%> (-0.06%) ⬇️
Py-3.9.13 95.40% <100.00%> (-0.04%) ⬇️
Py-3.9.18 96.78% <100.00%> (-0.06%) ⬇️
Py-pypy7.3.13 ?
Py-pypy7.3.15 96.33% <100.00%> (?)
VM-macos 96.81% <100.00%> (+0.13%) ⬆️
VM-ubuntu 96.99% <100.00%> (-0.06%) ⬇️
VM-windows 95.50% <100.00%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@Dreamsorcerer Dreamsorcerer merged commit 1c33594 into master Jan 28, 2024
31 of 34 checks passed
@Dreamsorcerer Dreamsorcerer deleted the symlinks branch January 28, 2024 18:13
Copy link
Contributor

patchback bot commented Jan 28, 2024

Backport to 3.9: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.9/1c335944d6a8b1298baf179b7c0b3069f10c514b/pr-8079

Backported as #8080

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Jan 28, 2024
Co-authored-by: J. Nick Koston <nick@koston.org>
(cherry picked from commit 1c33594)
Copy link
Contributor

patchback bot commented Jan 28, 2024

Backport to 3.10: 💚 backport PR created

✅ Backport PR branch: patchback/backports/3.10/1c335944d6a8b1298baf179b7c0b3069f10c514b/pr-8079

Backported as #8081

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

patchback bot pushed a commit that referenced this pull request Jan 28, 2024
Co-authored-by: J. Nick Koston <nick@koston.org>
(cherry picked from commit 1c33594)
Dreamsorcerer pushed a commit that referenced this pull request Jan 28, 2024
**This is a backport of PR #8079 as merged into master
(1c33594).**
Dreamsorcerer pushed a commit that referenced this pull request Jan 28, 2024
**This is a backport of PR #8079 as merged into master
(1c33594).**
renovate bot referenced this pull request in allenporter/pyrainbird Feb 1, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aiohttp](https://togithub.com/aio-libs/aiohttp) | `==3.9.1` ->
`==3.9.2` |
[![age](https://developer.mend.io/api/mc/badges/age/pypi/aiohttp/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/aiohttp/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/aiohttp/3.9.1/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/aiohttp/3.9.1/3.9.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-23829](https://togithub.com/aio-libs/aiohttp/security/advisories/GHSA-8qpw-xqxj-h4r2)

### Summary
Security-sensitive parts of the *Python HTTP parser* retained minor
differences in allowable character sets, that must trigger error
handling to robustly match frame boundaries of proxies in order to
protect against injection of additional requests. Additionally,
validation could trigger exceptions that were not handled consistently
with processing of other malformed input.

### Details
These problems are rooted in pattern matching protocol elements,
previously improved by PR #&#8203;3235 and GHSA-gfw2-4jvh-wgfg:

1. The expression `HTTP/(\d).(\d)` lacked another backslash to clarify
that the separator should be a literal dot, not just *any* Unicode code
point (result: `HTTP/(\d)\.(\d)`).

2. The HTTP version was permitting Unicode digits, where only ASCII
digits are standards-compliant.

3. Distinct regular expressions for validating HTTP Method and Header
field names were used - though both should (at least) apply the common
restrictions of rfc9110 `token`.

### PoC
`GET / HTTP/1ö1`
`GET / HTTP/1.𝟙`
`GET/: HTTP/1.1`
`Content-Encoding?: chunked`

### Impact
Primarily concerns running an aiohttp server without llhttp:
1. **behind a proxy**: Being more lenient than internet standards
require could, depending on deployment environment, assist in request
smuggling.
2. **directly accessible** or exposed behind proxies relaying malformed
input: the unhandled exception could cause excessive resource
consumption on the application server and/or its logging facilities.

-----

Patch:
[https://github.com/aio-libs/aiohttp/pull/8074](https://togithub.com/aio-libs/aiohttp/pull/8074)/files

####
[CVE-2024-23334](https://togithub.com/aio-libs/aiohttp/security/advisories/GHSA-5h86-8mv2-jq9f)

### Summary
Improperly configuring static resource resolution in aiohttp when used
as a web server can result in the unauthorized reading of arbitrary
files on the system.

### Details
When using aiohttp as a web server and configuring static routes, it is
necessary to specify the root path for static files. Additionally, the
option 'follow_symlinks' can be used to determine whether to follow
symbolic links outside the static root directory. When 'follow_symlinks'
is set to True, there is no validation to check if a given file path is
within the root directory.This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to arbitrary files on
the system, even when symlinks are not present.

i.e. An application is only vulnerable with setup code like:
```
app.router.add_routes([
    web.static("/static", "static/", follow_symlinks=True),  # Remove follow_symlinks to avoid the vulnerability
])
```

### Impact
This is a directory traversal vulnerability with CWE ID 22. When using
aiohttp as a web server and enabling static resource resolution with
`follow_symlinks` set to True, it can lead to this vulnerability. This
vulnerability has been present since the introduction of the
`follow_symlinks` parameter.

### Workaround
Even if upgrading to a patched version of aiohttp, we recommend
following these steps regardless.

If using `follow_symlinks=True` outside of a restricted local
development environment, disable the option immediately. This option is
NOT needed to follow symlinks which point to a location _within_ the
static root directory, it is _only_ intended to allow a symlink to break
out of the static directory. Even with this CVE fixed, there is still a
substantial risk of misconfiguration when using this option on a server
that accepts requests from remote users.

Additionally, aiohttp has always recommended using a reverse proxy
server (such as nginx) to handle static resources and _not_ to use these
static resources in aiohttp for production environments. Doing so also
protects against this vulnerability, and is why we expect the number of
affected users to be very low.

-----

Patch:
[https://github.com/aio-libs/aiohttp/pull/8079](https://togithub.com/aio-libs/aiohttp/pull/8079)/files

---

### Release Notes

<details>
<summary>aio-libs/aiohttp (aiohttp)</summary>

###
[`v3.9.2`](https://togithub.com/aio-libs/aiohttp/releases/tag/v3.9.2):
3.9.2

[Compare
Source](https://togithub.com/aio-libs/aiohttp/compare/v3.9.1...v3.9.2)

## Bug fixes

-   Fixed server-side websocket connection leak.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7978](https://togithub.com/aio-libs/aiohttp/issues/7978).

-   Fixed `web.FileResponse` doing blocking I/O in the event loop.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8012](https://togithub.com/aio-libs/aiohttp/issues/8012).

- Fixed double compress when compression enabled and compressed file
exists in server file responses.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8014](https://togithub.com/aio-libs/aiohttp/issues/8014).

-   Added runtime type check for `ClientSession` `timeout` parameter.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8021](https://togithub.com/aio-libs/aiohttp/issues/8021).

- Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon -- by :user:`pajod`.

Invalid request lines with anything but a dot between the HTTP major and
minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are
not known to be of any legitimate use.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8074](https://togithub.com/aio-libs/aiohttp/issues/8074).

- Improved validation of paths for static resources requests to the
server -- by :user:`bdraco`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8079](https://togithub.com/aio-libs/aiohttp/issues/8079).

## Features

- Added support for passing :py:data:`True` to `ssl` parameter in
`ClientSession` while
    deprecating :py:data:`None` -- by :user:`xiangyan99`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7698](https://togithub.com/aio-libs/aiohttp/issues/7698).

## Breaking changes

- Fixed an unhandled exception in the Python HTTP parser on header lines
starting with a colon -- by :user:`pajod`.

Invalid request lines with anything but a dot between the HTTP major and
minor version are now rejected.
Invalid header field names containing question mark or slash are now
rejected.
Such requests are incompatible with :rfc:`9110#section-5.6.2` and are
not known to be of any legitimate use.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8074](https://togithub.com/aio-libs/aiohttp/issues/8074).

## Improved documentation

- Fixed examples of `fallback_charset_resolver` function in the
:doc:`client_advanced` document. -- by :user:`henry0312`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7995](https://togithub.com/aio-libs/aiohttp/issues/7995).

-   The Sphinx setup was updated to avoid showing the empty
    changelog draft section in the tagged release documentation
    builds on Read The Docs -- by :user:`webknjaz`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;8067](https://togithub.com/aio-libs/aiohttp/issues/8067).

## Packaging updates and notes for downstreams

-   The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:`webknjaz`.

    The new category tags are:

        * ``bugfix``

        * ``feature``

        * ``deprecation``

        * ``breaking`` (previously, ``removal``)

        * ``doc``

        * ``packaging``

        * ``contrib``

        * ``misc``

    *Related issues and pull requests on GitHub:*
    [#&#8203;8066](https://togithub.com/aio-libs/aiohttp/issues/8066).

## Contributor-facing changes

- Updated :ref:`contributing/Tests coverage <aiohttp-contributing>`
section to show how we use `codecov` -- by :user:`Dreamsorcerer`.

    *Related issues and pull requests on GitHub:*
    [#&#8203;7916](https://togithub.com/aio-libs/aiohttp/issues/7916).

-   The changelog categorization was made clearer. The
    contributors can now mark their fragment files more
    accurately -- by :user:`webknjaz`.

    The new category tags are:

        * ``bugfix``

        * ``feature``

        * ``deprecation``

        * ``breaking`` (previously, ``removal``)

        * ``doc``

        * ``packaging``

        * ``contrib``

        * ``misc``

    *Related issues and pull requests on GitHub:*
    [#&#8203;8066](https://togithub.com/aio-libs/aiohttp/issues/8066).

## Miscellaneous internal changes

-   Replaced all `tmpdir` fixtures with `tmp_path` in test suite.

    *Related issues and pull requests on GitHub:*
    [#&#8203;3551](https://togithub.com/aio-libs/aiohttp/issues/3551).

***

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/allenporter/pyrainbird).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-3.10 Trigger automatic backporting to the 3.10 release branch by Patchback robot bot:chronographer:provided There is a change note present in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants