feat(Dependencies): Update dependency aiohttp to v3.10.2 [SECURITY] #332
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.9.4
->3.10.2
GitHub Vulnerability Alerts
CVE-2023-37276
Impact
aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.
This vulnerability only affects users of aiohttp as an HTTP server (ie
aiohttp.Application
), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ieaiohttp.ClientSession
).Reproducer
Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
Patches
Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5:
pip install aiohttp >= 3.8.5
Workarounds
If you aren't able to upgrade you can reinstall aiohttp using
AIOHTTP_NO_EXTENSIONS=1
as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:References
CVE-2023-47627
Summary
The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling.
This parser is only used when
AIOHTTP_NO_EXTENSIONS
is enabled (or not using a prebuilt wheel).Details
Bug 1: Bad parsing of
Content-Length
valuesDescription
RFC 9110 says this:
AIOHTTP does not enforce this rule, presumably because of an incorrect usage of the builtin
int
constructor. Because theint
constructor accepts+
and-
prefixes, and digit-separating underscores, usingint
to parse CL values leads AIOHTTP to significant misinterpretation.Examples
Suggested action
Verify that a
Content-Length
value consists only of ASCII digits before parsing, as the standard requires.Bug 2: Improper handling of NUL, CR, and LF in header values
Description
RFC 9110 says this:
AIOHTTP's HTTP parser does not enforce this rule, and will happily process header values containing these three forbidden characters without replacing them with SP.
Examples
Suggested action
Reject all messages with NUL, CR, or LF in a header value. The translation to space thing, while technically allowed, does not seem like a good idea to me.
Bug 3: Improper stripping of whitespace before colon in HTTP headers
Description
RFC 9112 says this:
AIOHTTP does not enforce this rule, and will simply strip any whitespace before the colon in an HTTP header.
Example
Suggested action
Reject all messages with whitespace before a colon in a header field, as the standard requires.
PoC
Example requests are embedded in the previous section. To reproduce these bugs, start an AIOHTTP server without llhttp (i.e.
AIOHTTP_NO_EXTENSIONS=1
) and send the requests given in the previous section. (e.g. byprintf
ing intonc
)Impact
Each of these bugs can be used for request smuggling.
GHSA-pjjw-qhg8-p2p9
Summary
llhttp 8.1.1 is vulnerable to two request smuggling vulnerabilities.
Details have not been disclosed yet, so refer to llhttp for future information.
The issue is resolved by using llhttp 9+ (which is included in aiohttp 3.8.6+).
CVE-2023-49082
Summary
Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method.
Details
The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request.
Previous releases performed no validation on the provided value. If an attacker controls the HTTP method it will be used as is and can lead to HTTP request smuggling.
PoC
A minimal example can be found here:
https://gist.github.com/jnovikov/7f411ae9fe6a9a7804cf162a3bdbb44b
Impact
If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling).
Workaround
If unable to upgrade and using user-provided values for the request method, perform manual validation of the user value (e.g. by restricting it to a few known values like GET, POST etc.).
Patch: https://github.com/aio-libs/aiohttp/pull/7806/files
CVE-2023-49081
Summary
Improper validation make it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or even create a new HTTP request if the attacker controls the HTTP version.
Details
The vulnerability only occurs if the attacker can control the HTTP version of the request (including its type).
For example if an unvalidated JSON value is used as a version and the attacker is then able to pass an array as the
version
parameter.Furthermore, the vulnerability only occurs when the
Connection
header is passed to theheaders
parameter.At this point, the library will use the parsed value to create the request. If a list is passed, then it bypasses validation and it is possible to perform CRLF injection.
PoC
The POC below shows an example of providing an unvalidated array as a version:
https://gist.github.com/jnovikov/184afb593d9c2114d77f508e0ccd508e
Impact
CRLF injection leading to Request Smuggling.
Workaround
If these specific conditions are met and you are unable to upgrade, then validate the user input to the
version
parameter to ensure it is astr
.Patch: https://github.com/aio-libs/aiohttp/pull/7835/files
CVE-2024-23829
Summary
Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input.
Details
These problems are rooted in pattern matching protocol elements, previously improved by PR #3235 and GHSA-gfw2-4jvh-wgfg:
The expression
HTTP/(\d).(\d)
lacked another backslash to clarify that the separator should be a literal dot, not just any Unicode code point (result:HTTP/(\d)\.(\d)
).The HTTP version was permitting Unicode digits, where only ASCII digits are standards-compliant.
Distinct regular expressions for validating HTTP Method and Header field names were used - though both should (at least) apply the common restrictions of rfc9110
token
.PoC
GET / HTTP/1ö1
GET / HTTP/1.𝟙
GET/: HTTP/1.1
Content-Encoding?: chunked
Impact
Primarily concerns running an aiohttp server without llhttp:
Patch: https://github.com/aio-libs/aiohttp/pull/8074/files
CVE-2024-23334
Summary
Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitrary files on the system.
Details
When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check if a given file path is within the root directory.This can lead to directory traversal vulnerabilities, resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
i.e. An application is only vulnerable with setup code like:
Impact
This is a directory traversal vulnerability with CWE ID 22. When using aiohttp as a web server and enabling static resource resolution with
follow_symlinks
set to True, it can lead to this vulnerability. This vulnerability has been present since the introduction of thefollow_symlinks
parameter.Workaround
Even if upgrading to a patched version of aiohttp, we recommend following these steps regardless.
If using
follow_symlinks=True
outside of a restricted local development environment, disable the option immediately. This option is NOT needed to follow symlinks which point to a location within the static root directory, it is only intended to allow a symlink to break out of the static directory. Even with this CVE fixed, there is still a substantial risk of misconfiguration when using this option on a server that accepts requests from remote users.Additionally, aiohttp has always recommended using a reverse proxy server (such as nginx) to handle static resources and not to use these static resources in aiohttp for production environments. Doing so also protects against this vulnerability, and is why we expect the number of affected users to be very low.
Patch: https://github.com/aio-libs/aiohttp/pull/8079/files
CVE-2024-27306
Summary
A XSS vulnerability exists on index pages for static file handling.
Details
When using
web.static(..., show_index=True)
, the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks.
Workaround
We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected.
Other users can disable
show_index
if unable to upgrade.Patch: https://github.com/aio-libs/aiohttp/pull/8319/files
CVE-2024-30251
Summary
An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests.
Impact
An attacker can stop the application from serving requests after sending a single request.
For anyone needing to patch older versions of aiohttp, the minimum diff needed to resolve the issue is (located in
_read_chunk_from_length()
):This does however introduce some very minor issues with handling form data. So, if possible, it would be recommended to also backport the changes in:
aio-libs/aiohttp@cebe526
aio-libs/aiohttp@7eecdff
aio-libs/aiohttp@f21c6f2
CVE-2024-42367
Summary
Static routes which contain files with compressed variants (
.gz
or.br
extension) were vulnerable to path traversal outside the root directory if those variants are symbolic links.Details
The server protects static routes from path traversal outside the root directory when
follow_symlinks=False
(default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in theFileResponse
class, and symbolic links are then automatically followed when performingPath.stat()
andPath.open()
to send the file.Impact
Servers with static routes that contain compressed variants as symbolic links, pointing outside the root directory, or that permit users to upload or create such links, are impacted.
Patch: https://github.com/aio-libs/aiohttp/pull/8653/files
Release Notes
aio-libs/aiohttp (aiohttp)
v3.10.2
Compare Source
===================
Bug fixes
Fixed server checks for circular symbolic links to be compatible with Python 3.13 -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8565
.Fixed request body not being read when ignoring an Upgrade request -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8597
.Fixed an edge case where shutdown would wait for timeout when the handler was already completed -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8611
.Fixed connecting to
npipe://
,tcp://
, andunix://
urls -- by :user:bdraco
.Related issues and pull requests on GitHub:
:issue:
8632
.Fixed WebSocket ping tasks being prematurely garbage collected -- by :user:
bdraco
.There was a small risk that WebSocket ping tasks would be prematurely garbage collected because the event loop only holds a weak reference to the task. The garbage collection risk has been fixed by holding a strong reference to the task. Additionally, the task is now scheduled eagerly with Python 3.12+ to increase the chance it can be completed immediately and avoid having to hold any references to the task.
Related issues and pull requests on GitHub:
:issue:
8641
.Fixed incorrectly following symlinks for compressed file variants -- by :user:
steverep
.Related issues and pull requests on GitHub:
:issue:
8652
.Removals and backward incompatible breaking changes
Removed
Request.wait_for_disconnection()
, which was mistakenly added briefly in 3.10.0 -- by :user:Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8636
.Contributor-facing changes
Fixed monkey patches for
Path.stat()
andPath.is_dir()
for Python 3.13 compatibility -- by :user:steverep
.Related issues and pull requests on GitHub:
:issue:
8551
.Miscellaneous internal changes
Improved WebSocket performance when messages are sent or received frequently -- by :user:
bdraco
.The WebSocket heartbeat scheduling algorithm was improved to reduce the
asyncio
scheduling overhead by decreasing the number ofasyncio.TimerHandle
creations and cancellations.Related issues and pull requests on GitHub:
:issue:
8608
.Minor improvements to various type annotations -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8634
.v3.10.1
Compare Source
v3.10.0
Compare Source
v3.9.5
Compare Source
==================
Bug fixes
Fixed "Unclosed client session" when initialization of
:py:class:
~aiohttp.ClientSession
fails -- by :user:NewGlad
.Related issues and pull requests on GitHub:
:issue:
8253
.Fixed regression (from :pr:
8280
) with addingContent-Disposition
to theform-data
part after appending to writer -- by :user:
Dreamsorcerer
/:user:Olegt0rr
.Related issues and pull requests on GitHub:
:issue:
8332
.Added default
Content-Disposition
inmultipart/form-data
responses to avoid brokenform-data responses -- by :user:
Dreamsorcerer
.Related issues and pull requests on GitHub:
:issue:
8335
.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.