-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-qf9m-vfgh-m389] FastAPI Content-Type Header ReDoS #3479
Conversation
Hi there @tiangolo! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
Thanks! Yep, it makes sense. Thank you @huonw! 🙇 |
Thanks for the PR and the the update. I think |
Hm, okay, I can see that making a bit of sense if we adjust this advisory to be about That said, it still seems a bit weird to be calling FastAPI and Starlette vulnerable because they mention a vulnerable library in their dependencies, rather than only highlighting the truly vulnerable libraries (and if people need to upgrade other libraries, like FastAPI and Starlette, to be able to apply the fix, then that's dependabot/their responsibility). In particular, if labelling reverse dependencies as vulnerable is the convention, it seems like there should be security advisories about all the libraries in https://github.com/andrew-d/python-multipart/network/dependents?dependent_type=PACKAGE (and all the ones not on GitHub too) for consistency, not just FastAPI and Starlette. If I do a fresh install of that old fastapi version, I get the non-vulnerable version of python -m venv /tmp/fastapi-vuln
. /tmp/fastapi-vuln/bin/activate
pip install 'fastapi[all]==0.87.0'
pip freeze | grep multipart
# python-multipart==0.0.7 |
Seems reasonable to me 👍
Part of how our advisory system works is that we encourage users to make advisories about their own software so that their users get alerted. It's much better for everyone if advisory publication is normal and easy 😄 wrt |
@huonw, we now have GHSA-2jv5-9r88-3w3p live for the root vuln. Anything more you wanted to do on this PR other than update the specific version of |
This doesn't make sense to me. |
The advisory says that all versions before 0.0.7 are vulnerable, so the constraints there doesn't change that. |
Yes. You are completely right. We couldn't release an advisory on Can we remove the advisories from Starlette and FastAPI? |
Great that we've now got one for the root cause. It sounds people more in the know have a handle on this particular advisory, so I'm gonna close this and defer to y'all if there's more updates to make to this or GHSA-93gm-qmq6-w238. Thanks @Kludex! |
Updates
Comments
The problem seems to be in python-multipart, not fastapi (or starlette). As the existing advisory itself suggests, upgrading python-multipart itself seems to be sufficient to resolve this and so that seems like it should be the focus of report (and thus dependabot's upgrades). The same seems like it applies to GHSA-93gm-qmq6-w238