Update dependency aiohttp to v3.8.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aiohttp	==3.8.4 -> ==3.8.5

GitHub Vulnerability Alerts

CVE-2023-37276

Impact

aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.

This vulnerability only affects users of aiohttp as an HTTP server (ie aiohttp.Application), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie aiohttp.ClientSession).

Reproducer

from aiohttp import web

async def example(request: web.Request):
    headers = dict(request.headers)
    body = await request.content.read()
    return web.Response(text=f"headers: {headers} body: {body}")

app = web.Application()
app.add_routes([web.post('/', example)])
web.run_app(app)

Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.

$ printf "POST / HTTP/1.1\r\nHost: localhost:8080\r\nX-Abc: \rxTransfer-Encoding: chunked\r\n\r\n1\r\nA\r\n0\r\n\r\n" \
  | nc localhost 8080

Expected output:
  headers: {'Host': 'localhost:8080', 'X-Abc': '\rxTransfer-Encoding: chunked'} body: b''

Actual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)
  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'

Patches

Upgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: pip install aiohttp >= 3.8.5

Workarounds

If you aren't able to upgrade you can reinstall aiohttp using AIOHTTP_NO_EXTENSIONS=1 as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:

$ python -m pip uninstall --yes aiohttp
$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-30589
• https://hackerone.com/reports/2001873

---

Release Notes

aio-libs/aiohttp (aiohttp)

v3.8.5: 3.8.5

Compare Source

Security bugfixes

• Upgraded the vendored copy of llhttp_ to v8.1.1 -- by :user:webknjaz
  and :user:Dreamsorcerer.

  Thanks to :user:sethmlarson for reporting this and providing us with
  comprehensive reproducer, workarounds and fixing details! For more
  information, see
  GHSA-45c4-8wx5-qw6w.

  .. _llhttp: https://llhttp.org

  (#​7346)

Features

• Added information to C parser exceptions to show which character caused the error. -- by :user:Dreamsorcerer

  (#​7366)

Bugfixes

• Fixed a transport is :data:None error -- by :user:Dreamsorcerer.

  (#​3355)

---

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.